[
https://issues.apache.org/jira/browse/HIVE-11481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014672#comment-15014672
]
Szehon Ho commented on HIVE-11481:
----------------------------------
Hi Carita, I spent some time reading up on default ACL's and taking a deeper
look and have some review questions.
1. Shouldn't we also set default ACL's on the child, if they are a directory?
This code maybe called in situation where input is a nested directory (like
multi-column partition tables). "When a directory is created inside a
directory that has a default ACL, the new directory inherits the parent
directory's default ACL both as its access ACL and default ACL."
2. Do we still need to remove the base ACL's regardless of whether there are
no defaults? If I recall correctly it was to prevent some duplicates (as you
are again setting USER and OTHER).
3. Can you write a test case that uses DEFAULT Acl's? The test you added
seems to use AclEntryScope.ACCESS but not DEFAULT.
> hive incorrectly set extended ACLs for unnamed group for new databases/tables
> with inheritPerms enabled
> -------------------------------------------------------------------------------------------------------
>
> Key: HIVE-11481
> URL: https://issues.apache.org/jira/browse/HIVE-11481
> Project: Hive
> Issue Type: Bug
> Components: Metastore
> Affects Versions: 0.14.0, 1.0.0, 1.2.0, 1.1.0, 1.2.1
> Reporter: Carita Ou
> Assignee: Carita Ou
> Priority: Minor
> Attachments: HIVE-11481.1.patch, HIVE-11481.2.patch
>
>
> $ hadoop fs -chmod 700 /user/hive/warehouse
> $ hadoop fs -setfacl -m user:user1:rwx /user/hive/warehouse
> $ hadoop fs -setfacl -m default:user::rwx /user/hive/warehouse
> $ hadoop fs -ls /user/hive
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:29 /user/hive/warehouse
> $ hadoop fs -getfacl /user/hive/warehouse
> # file: /user/hive/warehouse
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> In hive cli> create database testing;
> $ hadoop fs -ls /user/hive/warehouse
> Found 1 items
> drwxrwx---+ - hive hadoop 0 2015-08-05 10:44
> /user/hive/warehouse/testing.db
> $hadoop fs -getfacl /user/hive/warehouse/testing.db
> # file: /user/hive/warehouse/testing.db
> # owner: hive
> # group: hadoop
> user::rwx
> user:user1:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:other::---
> Since the warehouse directory has default group permission set to ---, the
> group permissions for testing.db should also be ---
> The warehouse directory permissions show drwxrwx---+ which corresponds to
> user:mask:other. The subdirectory group ACL is set by calling
> FsPermission.getGroupAction() from Hadoop, which retrieves the file status
> permission rwx instead of the actual ACL permission, which is ---.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
