[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14253201#comment-14253201 ] Lefty Leverenz commented on HIVE-6892: -- Thanks for finding that link, [~szehon]. I changed it to an internal link so now it shows up in the page information as an incoming link. * [Page information for Permission Inheritance in Hive | https://cwiki.apache.org/confluence/pages/viewinfo.action?pageId=48203008] > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14252924#comment-14252924 ] Szehon Ho commented on HIVE-6892: - Ah I found it. I added a link from [HCatalog Authorization|https://cwiki.apache.org/confluence/display/Hive/HCatalog+Authorization] where it discusses file permissions. That is in turn is referred from [Storage Based Authorization|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]. There is also a link from : [Configuration Properties|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties]. I will remove the label then. > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14252036#comment-14252036 ] Szehon Ho commented on HIVE-6892: - Strange, I thought I added a link from "Storage Based Authorization", but I must have forgotten to save it. I'll try to add it and remove the label. > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > Labels: TODOC14 > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14251359#comment-14251359 ] Lefty Leverenz commented on HIVE-6892: -- Can we remove the TODOC14 label now? Also, should any other docs have links to Permission Inheritance in Hive? For example, Authorization or Storage Based Authorization: * [Authorization | https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization] * [Storage Based Authorization | https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server] > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > Labels: TODOC14 > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14213352#comment-14213352 ] Lefty Leverenz commented on HIVE-6892: -- I don't have any experience with that, [~szehon]. Have you taken a look at how it's done in the Open Issues section of HBase Integration? * [HBase Integration -- Open Issues | https://cwiki.apache.org/confluence/display/Hive/HBaseIntegration#HBaseIntegration-OpenIssues(JIRA)] It was added by [~cwsteinbach] in version 8 of the doc, so maybe Carl can help you. Or maybe all you need is this: * [Versions Compared -- 7 to 8 | https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27362089&selectedPageVersions=8&selectedPageVersions=7] You might already know, but it's a JIRA Issue box which can be inserted in edit mode from the "+" drop-down list (Insert More Content). Did you do that, then hit a snag with the query? > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > Labels: TODOC14 > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14213256#comment-14213256 ] Szehon Ho commented on HIVE-6892: - Thanks Lefty, I think its a lower level than Storage Based Authorization, because if the flag is on then permissions will be inherited regardless of which authorization is configured. I updated [Storage Based Authorization|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server] to add the link according to this understanding. Question for you, I had a JQL I wanted to in [Permission Inheritance in Hive|https://cwiki.apache.org/confluence/display/Hive/Permission+Inheritance+in+Hive] page to display the full list of patches: project = HIVE and issue in linkedIssues(HIVE-6892) but its giving me some wiki runtimeError when I try. Do you know how to make that work? Thanks. > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > Labels: TODOC14 > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14207796#comment-14207796 ] Lefty Leverenz commented on HIVE-6892: -- That sounds good, [~szehon], although additional links from other docs could increase visibility for this issue. Perhaps we need more documentation about *hive.warehouse.subdir.inherit.perms* somewhere besides Configuration Properties. How does this relate to storage-based authorization? When storage-based authorization is not being used, is this still relevant to create/load/insert/export/import commands? Oh, cool, you've already added the new page. Reference links: * [Configuration Properties -- hive.warehouse.subdir.inherit.perms | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.warehouse.subdir.inherit.perms] * [Permission Inheritance in Hive | https://cwiki.apache.org/confluence/display/Hive/Permission+Inheritance+in+Hive] * [Storage Based Authorization | https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server] > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > Labels: TODOC14 > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-6892) Permission inheritance issues
[ https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14207300#comment-14207300 ] Szehon Ho commented on HIVE-6892: - I am thinking to create a new wiki child page and add the information of this JIRA directly there, and link from [https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties] + [~leftylev] do you have any better thoughts? Thanks > Permission inheritance issues > - > > Key: HIVE-6892 > URL: https://issues.apache.org/jira/browse/HIVE-6892 > Project: Hive > Issue Type: Bug > Components: Security >Affects Versions: 0.13.0 >Reporter: Szehon Ho >Assignee: Szehon Ho > Labels: TODOC14 > > *HDFS Background* > * When a file or directory is created, its owner is the user identity of the > client process, and its group is inherited from parent (the BSD rule). > Permissions are taken from default umask. Extended Acl's are taken from > parent unless they are set explicitly. > *Goals* > To reduce need to set fine-grain file security props after every operation, > users may want the following Hive warehouse file/dir to auto-inherit security > properties from their directory parents: > * Directories created by new database/table/partition/bucket > * Files added to tables via load/insert > * Table directories exported/imported (open question of whether exported > table inheriting perm from new parent needs another flag) > What may be inherited: > * Basic file permission > * Groups (already done by HDFS for new directories) > * Extended ACL's (already done by HDFS for new directories) > *Behavior* > * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive > will try to do all above inheritances. In the future, we can add more flags > for more finer-grained control. > * Failure by Hive to inherit will not cause operation to fail. Rule of thumb > of when security-prop inheritance will happen is the following: > ** To run chmod, a user must be the owner of the file, or else a super-user. > ** To run chgrp, a user must be the owner of files, or else a super-user. > ** Hence, user that hive runs as (either 'hive' or the logged-in user in case > of impersonation), must be super-user or owner of the file whose security > properties are going to be changed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)