I agree that fiddling with umask is not the cleanest approach here. But, I am not sure about always inheriting permissions either, since this effectively implies the whole sub-tree of warehouse dir will have same permissions as warehouse dir itself. Concretely, lets consider following example. Lets say, wh dir has 700 perms. Then, if I create table (which only owner of wh can do) I will end up with either 775 or 755 (depending on whether it was before or after the earlier patch of jira). However, with your patch, table dir will end up with 700. In the earlier case, anyone could have read the tables, but now with your approach only owner can read. Now, which of this is correct behavior is open for debate and depends on which security model you have as your premise. Additionally, this will be change of behavior then the current behavior. So, I suggest you define a new config variable like hive.warehouse.inherit.perms or something similar and set it to false by default. And then take your code path of inheriting parent perms in case it is set to true. Thoughts?