Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-715

ACLs are not updated on a table until the first explicit GRANT statement.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.0
    • Fix Version/s: 1.5.0
    • Component/s: None
    • Labels:
      None

      Description

      CREATE ROLE systest_default;
      GRANT ROLE systest_default TO GROUP systest;
      GRANT ALL ON DATABASE default to ROLE systest_default;

      2. kinit as systest
      CREATE TABLE test_tbl (i int);
      INSERT INTO TABLE test_tbl SELECT 1;

      3. Look at ACLs (note that systest is not included):
      [root@lenni-ssl-2 ~]# hadoop fs -getfacl /user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.

      1. file: /user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.
      2. owner: hive
      3. group: hive
        user::rwx
        user:hive:rwx
        group:hive:rwx
        other::---
        mask::rwx
        other::---

      4. If a GRANT SELECT ON TABLE test_tbl is executed after the table is created, the privileges are updated. But note that the systest only has read privileges and not read/write (it should inherit the ALL on the database):

      [root@lenni-ssl-2 ~]# hadoop fs -getfacl /user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.
      a# file: /user/hive/warehouse/test_tbl/f4db14c9df67efd-7f75a399c558b896_1419062973_data.0.

      1. owner: hive
      2. group: hive
        user::rwx
        user:hive:rwx
        group:hive:rwx
        other::---
        group:systest:r-x
        mask::rwx
        other::---

        Attachments

          Activity

            People

            • Assignee:
              prasadm Prasad Suresh Mujumdar
              Reporter:
              prasadm Prasad Suresh Mujumdar
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: