This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • Permission Inheritance in Hive

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Basic file permission
  • Groups (already done by HDFS for new directories)
  • Extended ACL's (already done by HDFS for new directories) 

    Note

    This inheritance of extended ACL's is literal, all extended ACL's are copied to children as is, including ACL's for the defaultGroup.

    One room for improvement may be to follow HDFS semantics for the defaultGroup, which is as follows:

    "When a new file or sub-directory is created, it automatically copies the default ACL of its parent into its own access ACL. A new sub-directory also copies it to its own default ACL. In this way, the default ACL will be copied down through arbitrarily deep levels of the file system tree as new sub-directories get created." (https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_Access_Control_Lists)

    See HIVE-11481.

Behavior

  • When "hive.warehouse.subdir.inherit.perms" flag is enabled in Hive, Hive will try to do all the following inheritances.
    • Database directory inherits from warehouse directory.
    • Table directory inherits from database directory, or from warehouse directory if it is part of the default database.
    • External table directory inherits from parent directory.
    • Partition directory inherits from table directory.  (As of Hive 0.15.)
    • Data files inherit from table or partition directory.
  • Failure by Hive to inherit will not cause operation to fail. Rule of thumb of when security-prop inheritance will happen is the following:
    • To run chmod, a user must be the owner of the file, or else a super-user.
    • To run chgrp, a user must be the owner of files, or else a super-user.
    • Hence, user that hive runs as (either 'hive' or the logged-in user in case of impersonation), must be super-user or owner of the file whose security properties are going to be changed

...