[ https://issues.apache.org/jira/browse/SENTRY-1392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772313#comment-16772313 ]
Lars Francke commented on SENTRY-1392: -------------------------------------- Sorry for this blast from the past but thanks for jumping in Brock! I agree that 007 is usually a sensible choice but just checking the umask isn't really enough to guarantee anything. It could still be the wrong owner/group. I doubt this has "saved" many people but at least a few have been bitten by it. > Umask 077 leads to Hive crash with Sentry > ----------------------------------------- > > Key: SENTRY-1392 > URL: https://issues.apache.org/jira/browse/SENTRY-1392 > Project: Sentry > Issue Type: Bug > Components: Hive Binding > Affects Versions: 1.5.1 > Environment: CDH 5.7.1, Sentry 1.5.1 > Reporter: Marek Sušický > Assignee: Lars Francke > Priority: Major > Labels: easyfix > Attachments: SENTRY-1392.001.patch, SENTRY-1392.002.patch > > Original Estimate: 24h > Remaining Estimate: 24h > > Hi, > I installed CDH with Sentry and in Impala everything works fine. We have > security demands that umask 077 should be used, so I changed default 022 to > 077. > But Hive says "No databases found.". In /var/log/hive is following stacktrace: > 2016-07-08 16:05:58,085 WARN > org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: > [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list > org.apache.hadoop.hive.ql.parse.SemanticException: > org.apache.sentry.binding.hive.conf.InvalidConfigurationException: > fs.permissions.umask-mode should be 077 in non-testing mode > at > org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978) > at > org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836) > at > org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131) > at > org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59) > at > org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014) > ...... > ...... > Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: > fs.permissions.umask-mode should be 077 in non-testing mode > at > org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196) > at > org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148) > at > org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96) > at > org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974) > ... 30 more > I investigated this issue and in sourcecode I found following lines: > if("077".equalsIgnoreCase(defaultUmask)) { > LOG.error("HiveServer2 required a default umask of 077"); > throw new > InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY > + > " should be 077 in non-testing mode"); > } > I think, that one exclamation mark is missing: > if (!"077".equalsIgnoreCase(defaultUmask))..... > Thanks > Marek -- This message was sent by Atlassian JIRA (v7.6.3#76005)