Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-1392

Umask 077 leads to Hive crash with Sentry

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Patch Available
    • Major
    • Resolution: Unresolved
    • 1.5.1
    • None
    • Hive Binding

    • CDH 5.7.1, Sentry 1.5.1

    • Important

    Description

      Hi,
      I installed CDH with Sentry and in Impala everything works fine. We have security demands that umask 077 should be used, so I changed default 022 to 077.
      But Hive says "No databases found.". In /var/log/hive is following stacktrace:

      2016-07-08 16:05:58,085 WARN org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
      org.apache.hadoop.hive.ql.parse.SemanticException: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
      at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
      at org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
      at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
      at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
      at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
      ......
      ......
      Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
      at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
      at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
      at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
      at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
      ... 30 more

      I investigated this issue and in sourcecode I found following lines:

      if("077".equalsIgnoreCase(defaultUmask))

      { LOG.error("HiveServer2 required a default umask of 077"); throw new InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY + " should be 077 in non-testing mode"); }

      I think, that one exclamation mark is missing:
      if (!"077".equalsIgnoreCase(defaultUmask)).....

      Thanks
      Marek

      Attachments

        1. SENTRY-1392.002.patch
          1 kB
          Lars Francke
        2. SENTRY-1392.001.patch
          1 kB
          Lars Francke

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. SENTRY-7 Error message in HiveAuthzBinding when unmask is set to 077 is confusing

          • Major - Major loss of function.
          • Open

          Activity

            People

              larsfrancke Lars Francke
              msusicky Marek Sušický
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - 24h
                  24h
                  Remaining:
                  Remaining Estimate - 24h
                  24h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified