apache · viirya · Dec 19, 2019 · Dec 19, 2019 · Dec 27, 2019 · Dec 28, 2019
diff --git a/sql/core/src/main/scala/org/apache/spark/sql/execution/command/tables.scala b/sql/core/src/main/scala/org/apache/spark/sql/execution/command/tables.scala
@@ -24,6 +24,7 @@ import scala.util.Try
 import scala.util.control.NonFatal
 
 import org.apache.hadoop.fs.{FileContext, FsConstants, Path}
+import org.apache.hadoop.fs.permission.{AclEntry, FsPermission}
 
 import org.apache.spark.sql.{AnalysisException, Row, SparkSession}
 import org.apache.spark.sql.catalyst.TableIdentifier
@@ -499,8 +500,48 @@ case class TruncateTableCommand(
         val path = new Path(location.get)
         try {
           val fs = path.getFileSystem(hadoopConf)
+          val fileStatus = fs.getFileStatus(path)
+          // Not all fs impl. support these APIs.
+          var optPermission: Option[FsPermission] = None
+          try {
+            optPermission = Some(fileStatus.getPermission())
+          } catch {
+            case NonFatal(_) => // do nothing
+          }
+
+          var optAcls: Option[java.util.List[AclEntry]] = None
+          try {
+            optAcls = Some(fs.getAclStatus(path).getEntries)
+          } catch {
+            case NonFatal(_) => // do nothing
+          }
+
           fs.delete(path, true)
+
+          // We should keep original permission/acl of the path.
+          // For owner/group, only super-user can set it, for example on HDFS. Because
+          // current user can delete the path, we assume the user/group is correct or not an issue.
           fs.mkdirs(path)
+          optPermission.foreach { permission =>
+            try {
+              fs.setPermission(path, permission)
+            } catch {
+              case NonFatal(e) =>
+                throw new SecurityException(
+                  s"Failed to set original permission $permission back to " +
+                    s"the created path: $path. Exception: ${e.getMessage}")
+            }
+          }
+          optAcls.foreach { acls =>
+            try {
+              fs.setAcl(path, acls)
+            } catch {
+              case NonFatal(e) =>
+                throw new SecurityException(
+                  s"Failed to set original ACL $acls back to " +
+                    s"the created path: $path. Exception: ${e.getMessage}")
+            }
+          }
         } catch {
           case NonFatal(e) =>
             throw new AnalysisException(

diff --git a/sql/core/src/test/scala/org/apache/spark/sql/execution/command/DDLSuite.scala b/sql/core/src/test/scala/org/apache/spark/sql/execution/command/DDLSuite.scala
@@ -21,7 +21,8 @@ import java.io.{File, PrintWriter}
 import java.net.URI
 import java.util.Locale
 
-import org.apache.hadoop.fs.Path
+import org.apache.hadoop.fs.{Path, RawLocalFileSystem}
+import org.apache.hadoop.fs.permission.{AclEntry, AclEntryScope, AclEntryType, AclStatus, FsAction, FsPermission}
 
 import org.apache.spark.internal.config
 import org.apache.spark.internal.config.RDD_PARALLEL_LISTING_THRESHOLD
@@ -1981,6 +1982,48 @@ abstract class DDLSuite extends QueryTest with SQLTestUtils {
     }
   }
 
+  test("SPARK-30312: truncate table - keep acl/permission") {
+    import testImplicits._
+
+    withSQLConf(
+      "fs.file.impl" -> classOf[FakeLocalFsFileSystem].getName,
+      "fs.file.impl.disable.cache" -> "true") {
+      withTable("tab1") {
+        sql("CREATE TABLE tab1 (col INT) USING parquet")
+        sql("INSERT INTO tab1 SELECT 1")
+        checkAnswer(spark.table("tab1"), Row(1))
+
+        val tablePath = new Path(spark.sessionState.catalog
+          .getTableMetadata(TableIdentifier("tab1")).storage.locationUri.get)
+
+        val hadoopConf = spark.sessionState.newHadoopConf()
+        val fs = tablePath.getFileSystem(hadoopConf)
+        val fileStatus = fs.getFileStatus(tablePath);
+
+        fs.setPermission(tablePath, new FsPermission("777"))
+        assert(fileStatus.getPermission().toString() == "rwxrwxrwx")
+
+        // Set ACL to table path.
+        val customAcl = new java.util.ArrayList[AclEntry]()
+        customAcl.add(new AclEntry.Builder()
+          .setType(AclEntryType.USER)
+          .setScope(AclEntryScope.ACCESS)
+          .setPermission(FsAction.READ).build())
+        fs.setAcl(tablePath, customAcl)
+        assert(fs.getAclStatus(tablePath).getEntries().get(0) == customAcl.get(0))
+
+        sql("TRUNCATE TABLE tab1")
+        assert(spark.table("tab1").collect().isEmpty)
+
+        val fileStatus2 = fs.getFileStatus(tablePath)
+        assert(fileStatus2.getPermission().toString() == "rwxrwxrwx")
+        val aclEntries = fs.getAclStatus(tablePath).getEntries()
+        assert(aclEntries.size() == 1)
+        assert(aclEntries.get(0) == customAcl.get(0))
+      }
+    }
+  }
+
   test("create temporary view with mismatched schema") {
     withTable("tab1") {
       spark.range(10).write.saveAsTable("tab1")
@@ -2879,3 +2922,25 @@ abstract class DDLSuite extends QueryTest with SQLTestUtils {
     }
   }
 }
+
+object FakeLocalFsFileSystem {
+  var aclStatus = new AclStatus.Builder().build()
+}
+
+// A fake test local filesystem used to test ACL. It keeps a ACL status. If deletes
+// a path of this filesystem, it will clean up the ACL status. Note that for test purpose,
+// it has only one ACL status for all paths.
+class FakeLocalFsFileSystem extends RawLocalFileSystem {
+  import FakeLocalFsFileSystem._
+
+  override def delete(f: Path, recursive: Boolean): Boolean = {
+    aclStatus = new AclStatus.Builder().build()
+    super.delete(f, recursive)
+  }
+
+  override def getAclStatus(path: Path): AclStatus = aclStatus
+
+  override def setAcl(path: Path, aclSpec: java.util.List[AclEntry]): Unit = {
+    aclStatus = new AclStatus.Builder().addEntries(aclSpec).build()
+  }
+}