[jira] [Commented] (HIVE-6892) Permission inheritance issues

Sat, 05 Sep 2015 00:29:55 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-6892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14731859#comment-14731859
 ] 

Lefty Leverenz commented on HIVE-6892:
--------------------------------------

What needs to be changed in the wiki?  (Perhaps it should be a separate JIRA 
issue.)

* [Permission Inheritance in Hive | 
https://cwiki.apache.org/confluence/display/Hive/Permission+Inheritance+in+Hive]

> Permission inheritance issues
> -----------------------------
>
>                 Key: HIVE-6892
>                 URL: https://issues.apache.org/jira/browse/HIVE-6892
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 0.13.0
>            Reporter: Szehon Ho
>            Assignee: Szehon Ho
>
> *HDFS Background*
> * When a file or directory is created, its owner is the user identity of the 
> client process, and its group is inherited from parent (the BSD rule).  
> Permissions are taken from default umask.  Extended Acl's are taken from 
> parent unless they are set explicitly.
> *Goals*
> To reduce need to set fine-grain file security props after every operation, 
> users may want the following Hive warehouse file/dir to auto-inherit security 
> properties from their directory parents:
> * Directories created by new database/table/partition/bucket
> * Files added to tables via load/insert
> * Table directories exported/imported  (open question of whether exported 
> table inheriting perm from new parent needs another flag)
> What may be inherited:
> * Basic file permission
> * Groups (already done by HDFS for new directories)
> * Extended ACL's (already done by HDFS for new directories)
> *Behavior*
> * When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive 
> will try to do all above inheritances.  In the future, we can add more flags 
> for more finer-grained control.
> * Failure by Hive to inherit will not cause operation to fail.  Rule of thumb 
> of when security-prop inheritance will happen is the following:
> ** To run chmod, a user must be the owner of the file, or else a super-user.
> ** To run chgrp, a user must be the owner of files, or else a super-user.
> ** Hence, user that hive runs as (either 'hive' or the logged-in user in case 
> of impersonation), must be super-user or owner of the file whose security 
> properties are going to be changed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to