Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Not able to delete sentry permission on Hive DB folder/directory

Not able to delete sentry permission on Hive DB folder/directory

Hi Experts, 

 

I enabled sentry on one of the Hive DB with wrong group name, now I am not able to remove ACL. I tried setfacl with arguments like -b, -k and also tried with -m to rename but I am not able to see any change when I give getfacl on that DB directory under /user/hive/warehouse. 

 

Here is the output 

 

[user@hostname ~]$ hadoop fs -getfacl /user/hive/warehouse/test.db
# file: /user/hive/warehouse/test.db
# owner: hive
# group: hive
user::rwx
group:group1:rwx
group::---
user:hive:rwx
group:group2:r-x
group:hive:rwx
group:group3:rwx
mask::rwx
other::--x
[user@hostname ~]$ hdfs dfs -setfacl -k /user/hive/warehouse/test.db

[user@hostname ~]$ hdfs dfs -setfacl -b /user/hive/warehouse/test.db 

 

setfacl: Invalid group entry index after binary-searching inode: /user/hive/warehouse/test.db(3979083) with featureEntries:[group:group1:rwx, group::---, user:hive:rwx, group:group2:r-x, group:hive:rwx, group:group3:rwx] (-4) must not be negative


[user@hostname ~]$ hadoop fs -getfacl /user/hive/warehouse/test.db
# file: /user/hive/warehouse/test.db
# owner: hive
# group: hive
user::rwx
group:group1:rwx
group::---
user:hive:rwx
group:group2:r-x
group:hive:rwx
group:group3:rwx
mask::rwx
other::--x

 

Can someone help on this,

 

Thanks
Kishore

2 REPLIES 2

Re: Not able to delete sentry permission on Hive DB folder/directory

Champion

@TheKishore432

 

Pls try -x option as follows to remove the specific entry. 

 

Ex: hdfs dfs -setfacl -x user:hadoop /file

 

Highlighted

Re: Not able to delete sentry permission on Hive DB folder/directory

Expert Contributor

If you have enabled "HDFS-Sentry synchronization"  then your setfacl actions will have no impact.

Sentry rules are translated to ACL. You should use either HUE (Security/Sentry Roles) to fix the group or connect to beeline and use the grant/revoke commands.

Don't have an account?
Coming from Hortonworks? Activate your account here