Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.13.0
-
None
-
None
Description
HDFS Background
- When a file or directory is created, its owner is the user identity of the client process, and its group is inherited from parent (the BSD rule). Permissions are taken from default umask. Extended Acl's are taken from parent unless they are set explicitly.
Goals
To reduce need to set fine-grain file security props after every operation, users may want the following Hive warehouse file/dir to auto-inherit security properties from their directory parents:
- Directories created by new database/table/partition/bucket
- Files added to tables via load/insert
- Table directories exported/imported (open question of whether exported table inheriting perm from new parent needs another flag)
What may be inherited:
- Basic file permission
- Groups (already done by HDFS for new directories)
- Extended ACL's (already done by HDFS for new directories)
Behavior
- When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive will try to do all above inheritances. In the future, we can add more flags for more finer-grained control.
- Failure by Hive to inherit will not cause operation to fail. Rule of thumb of when security-prop inheritance will happen is the following:
- To run chmod, a user must be the owner of the file, or else a super-user.
- To run chgrp, a user must be the owner of files, or else a super-user.
- Hence, user that hive runs as (either 'hive' or the logged-in user in case of impersonation), must be super-user or owner of the file whose security properties are going to be changed.
Attachments
Issue Links
- incorporates
-
HIVE-8864 Fix permission inheritance with HDFS encryption
- Resolved
-
HIVE-8791 Hive permission inheritance throws exception S3
- Resolved
-
HIVE-3756 "LOAD DATA" does not honor permission inheritence
- Closed
-
HIVE-6648 Permissions are not inherited correctly when tables have multiple partition columns
- Closed
-
HIVE-6792 hive.warehouse.subdir.inherit.perms doesn't work correctly in CTAS
- Closed
-
HIVE-6891 Alter rename partition Perm inheritance and general partition/table group inheritance
- Closed
-
HIVE-6916 Export/import inherit permissions from parent directory
- Closed
-
HIVE-7015 Failing to inherit group/permission should not fail the operation
- Closed
-
HIVE-7092 Insert overwrite should not delete the original directory
- Closed
-
HIVE-7117 Partitions not inheriting table permissions after alter rename partition
- Closed
-
HIVE-7119 Extended ACL's should be inherited if warehouse perm inheritance enabled
- Closed
-
HIVE-7450 Database should inherit perms of warehouse dir
- Closed
- is related to
-
HIVE-11481 hive incorrectly set extended ACLs for unnamed group for new databases/tables with inheritPerms enabled
- Resolved
-
HIVE-16392 Remove hive.warehouse.subdir.inherit.perms and all permissions inheritance logic
- Closed