Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
1.5.1
-
None
-
CDH 5.7.1, Sentry 1.5.1
-
Important
Description
Hi,
I installed CDH with Sentry and in Impala everything works fine. We have security demands that umask 077 should be used, so I changed default 022 to 077.
But Hive says "No databases found.". In /var/log/hive is following stacktrace:
2016-07-08 16:05:58,085 WARN org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook: [HiveServer2-Handler-Pool: Thread-54]: Error getting DB list
org.apache.hadoop.hive.ql.parse.SemanticException: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:978)
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowDatabases(HiveAuthzBindingHook.java:836)
at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDb(SentryMetaStoreFilterHook.java:131)
at org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook.filterDatabases(SentryMetaStoreFilterHook.java:59)
at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getDatabases(HiveMetaStoreClient.java:1014)
......
......
Caused by: org.apache.sentry.binding.hive.conf.InvalidConfigurationException: fs.permissions.umask-mode should be 077 in non-testing mode
at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveServer2Config(HiveAuthzBinding.java:196)
at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.validateHiveConfig(HiveAuthzBinding.java:148)
at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.<init>(HiveAuthzBinding.java:96)
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.getHiveBindingWithPrivilegeCache(HiveAuthzBindingHook.java:974)
... 30 more
I investigated this issue and in sourcecode I found following lines:
if("077".equalsIgnoreCase(defaultUmask))
{ LOG.error("HiveServer2 required a default umask of 077"); throw new InvalidConfigurationException(CommonConfigurationKeys.FS_PERMISSIONS_UMASK_KEY + " should be 077 in non-testing mode"); }I think, that one exclamation mark is missing:
if (!"077".equalsIgnoreCase(defaultUmask)).....
Thanks
Marek
Attachments
Attachments
Issue Links
- is related to
-
SENTRY-7 Error message in HiveAuthzBinding when unmask is set to 077 is confusing
- Open