Major Description
With Sentry HDFS ACL Sync enabled:
Under a configured prefix create two external permission directories;
- file: /location/pk=1
- owner: ryanp
- group: ryanp
user::rwx
group::rwx
other::rwx
- file: /location/pk=2
- owner: ryanp
- group: ryanp
user::rwx
group::rwx
other::rwx
Once a table is created that references these partitions they begin to act as managed directories as expected.
drwxrwx---+ - hive hive 0 2015-11-04 11:07 /location/pk=1
drwxrwx---+ - hive hive 0 2015-11-04 11:07 /location/pk=2
The problem however arrives once we have two tables referencing these partitions with different grants placed against them.
*both table1 and table2 include both partitions
grant all on table home1 to role table1;
grant role home1 to group root;
grant all on table home2 to role table2;
grant role home2 to group ryanp;
You will notice that only the first grant takes effect on the managed directories:
- file: /location/pk=1
- owner: hive
- group: hive
user::rwx
user:hive:rwx
group:root:rwx
group::---
group:hive:rwx
mask::rwx
other::---
- file: /location/pk=2
- owner: hive
- group: hive
user::rwx
user:hive:rwx
group:root:rwx
group::---
group:hive:rwx
mask::rwx
other::---
Dropping the first table also results in the directories no longer being managed at all.
drop table home1;
- file: /location/pk=1
- owner: ryanp
- group: ryanp
user::rwx
group::rwx
other::rwx
- file: /location/pk=2
- owner: ryanp
- group: ryanp
user::rwx
group::rwx
other::rwx
The only way to pick up the 2 tables grants at this point would be to restart HMS.
Since theoretically partitions can be member of numerous tables we should fix this behavior. Grants placed agains either authorizable object should be reflected in HDFS. As long as there are any references to the partition it should remain managed as well.
