[ https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14999671#comment-14999671 ]
Carita Ou commented on HIVE-11481: ---------------------------------- Hi Szehon, Thanks for reviewing the patch. Yes this patch sets the default ACLs if they exist, and if not, it sets the traditional user/group/other permissions. The difference between this patch and the old way is how we're setting the group permissions. When an ACL is set on a directory, the value returned from sourcePerm.getGroupAction() is not the actual group permissions, it is the mask. When we set a named user or named/unamed group ACL, the mask is automatically defined as the union of those permissions. For example, drwxrwx---+ is actually showing the user:mask:other. When there are ACLs set on a directory, the child directory is already created with the correct group ACL permissions in the current implementation. The issue is that the group file permissions are not set correctly because they were overwritten with the parent's mask (retrieved from sourcePerm.getGroupAction()). This patch fixes the issue by not overwriting the group with the parent's mask file permissions if there are ACLs for the directory, keeping the group value that was set earlier with the chgrp command in the method. We only need to set the group ACL entry if there are no ACL entries set. > hive incorrectly set extended ACLs for unnamed group for new databases/tables > with inheritPerms enabled > ------------------------------------------------------------------------------------------------------- > > Key: HIVE-11481 > URL: https://issues.apache.org/jira/browse/HIVE-11481 > Project: Hive > Issue Type: Bug > Components: Metastore > Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1 > Reporter: Carita Ou > Assignee: Carita Ou > Priority: Minor > Attachments: HIVE-11481.1.patch, HIVE-11481.2.patch > > > $ hadoop fs -chmod 700 /user/hive/warehouse > $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse > $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse > $ hadoop fs -ls /user/hive > Found 1 items > drwxrwx---+ - hive hadoop 0 2015-08-05 10:29 /user/hive/warehouse > $ hadoop fs -getfacl /user/hive/warehouse > # file: /user/hive/warehouse > # owner: hive > # group: hadoop > user::rwx > user:user1:rwx > group::--- > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:other::--- > In hive cli> create database testing; > $ hadoop fs -ls /user/hive/warehouse > Found 1 items > drwxrwx---+ - hive hadoop 0 2015-08-05 10:44 > /user/hive/warehouse/testing.db > $hadoop fs -getfacl /user/hive/warehouse/testing.db > # file: /user/hive/warehouse/testing.db > # owner: hive > # group: hadoop > user::rwx > user:user1:rwx > group::rwx > mask::rwx > other::--- > default:user::rwx > default:group::--- > default:other::--- > Since the warehouse directory has default group permission set to ---, the > group permissions for testing.db should also be --- > The warehouse directory permissions show drwxrwx---+ which corresponds to > user:mask:other. The subdirectory group ACL is set by calling > FsPermission.getGroupAction() from Hadoop, which retrieves the file status > permission rwx instead of the actual ACL permission, which is ---. -- This message was sent by Atlassian JIRA (v6.3.4#6332)