[jira] [Created] (SENTRY-1392) Umask 077 leads to Hive crash with Sentry

Fri, 08 Jul 2016 07:10:37 -0700 

Marek Sušický created SENTRY-1392:
-------------------------------------

             Summary: Umask 077 leads to Hive crash with Sentry
                 Key: SENTRY-1392
                 URL: https://issues.apache.org/jira/browse/SENTRY-1392
             Project: Sentry
          Issue Type: Bug
          Components: Hive Binding
    Affects Versions: 1.5.1
         Environment: CDH 5.7.1, Sentry 1.5.1
            Reporter: Marek Sušický


Hi,
I installed CDH with Sentry and in Impala everything works fine. We have 
security demands that umask 077 should be used, so I changed default 022 to 077.
But Hive says "No databases found.". In /var/log/hive is following stacktrace:

2016-07-08 16:05:58,085 WARN  
org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: 
[HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
org.apache.hadoop.hive.ql.parse.SemanticException: 
org.apache.sentry.binding.hive.conf.InvalidConfigurationException: 
fs.permissions.umask-mode should be 077 in non-testing mode
        at 
org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
        at 
org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
        at 
org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
        at 
org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
        at 
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
......
......
Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: 
fs.permissions.umask-mode should be 077 in non-testing mode
        at 
org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
        at 
org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
        at 
org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
        at 
org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
        ... 30 more

I investigated this issue and in sourcecode I found following lines:

if("077".equalsIgnoreCase(defaultUmask)) {
      LOG.error("HiveServer2 required a default umask of 077");
      throw new 
InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY +
          " should be 077 in non-testing mode");
    }

I think, that one exclamation mark is missing:
if (!"077".equalsIgnoreCase(defaultUmask)).....

Thanks
Marek



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to