Skip to content

[SPARK-30312][SQL] Preserve path permission and acl when truncate table #26956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
viirya wants to merge 9 commits into from
Closed

[SPARK-30312][SQL] Preserve path permission and acl when truncate table #26956

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
73e1bb0
Preserve original permission when truncate table.
viirya Dec 19, 2019
60134c1
Update test case for ACL test.
viirya Dec 19, 2019
1df437b
Remove setOwner.
viirya Dec 27, 2019
2c3f1fb
Consider the cases that not all fs support these APIs.
viirya Dec 28, 2019
39fe234
Address comment.
viirya Jan 6, 2020
7b29f2f
Use try instead of Try.
viirya Jan 9, 2020
ab69638
Address comment.
viirya Jan 9, 2020
00a2bc8
Use SecurityException.
viirya Jan 9, 2020
8e429a3
Add a config.
viirya Jan 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion sql/core/src/main/scala/org/apache/spark/sql/execution/command/tables.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ package org.apache.spark.sql.execution.command
import java.net.{URI, URISyntaxException}

import scala.collection.mutable.ArrayBuffer
import scala.util.Try
import scala.util.{Failure, Try}
import scala.util.control.NonFatal

import org.apache.hadoop.fs.{FileContext, FsConstants, Path}
Expand Down Expand Up @@ -499,8 +499,35 @@ case class TruncateTableCommand(
val path = new Path(location.get)
try {
val fs = path.getFileSystem(hadoopConf)
val fileStatus = fs.getFileStatus(path)
// Not all fs impl. support these APIs.
val optPermission = Try(fileStatus.getPermission())
val optAcls = Try(fs.getAclStatus(path).getEntries)

fs.delete(path, true)

@cloud-fan cloud-fan Jan 2, 2020
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not familiar with Hadoop FS APIs, but do we have something like rm -rf tablePath/*?. My point is, if we don't delete the parent folder, then we don't have this problem at all.

@viirya viirya Jan 2, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the FileSystem API, I didn't find one like that.

But I just search again, there is FileUtil API that seems working like that.

I will test tomorrow to see if it work well to keep permission/acl in a Spark cluster like current approach.

@viirya viirya Jan 2, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, I think FileUtil.fullyDeleteContents only works on local file (java.io.File), not for files on distributed file system like HDFS.

@viirya viirya Jan 2, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I think there is no single API to do rm -rf tablePath/* in Hadoop FS, if I haven't missed anything.

We can do listStatus and delete all contents in the given directory. But it is inefficient for DFS and is easier to have error.

@cloud-fan cloud-fan Jan 2, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know how Hive/Presto implement TRUNCATE TABLE? Are there other file attributes we need to retain?

@viirya viirya Jan 2, 2020
edited
Loading

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Hive, I try to trace the code path for TRUNCATE TABLE:

  1. HiveMetaStore. truncateTableInternal:

Get the locations of table/partitions and call Warehouse.deleteDir for each.

https://github.com/apache/hive/blob/master/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java#L3109

  1. Warehouse.deleteDir delegates to MetaStoreFS.deleteDir.
  2. HiveMetaStoreFsImpl (implements MetaStoreFS) delegates to FileUtils.moveToTrash which calls FileSystem.delete(f, true).

In HiveMetaStore.truncateTableInternal, after the location is deleted, new directory is created and previous file status including permissions, group, and ACLs are set to new directory:

https://github.com/apache/hive/blob/35f86c749cefc2a9972a991deed78a1c3719093d/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/utils/HdfsUtils.java#L288

@viirya viirya Jan 2, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I retain permission and ACLs. I was doing fs.setOwner in first commit for retaining path owner and group. But fs.setOwner throws exception because it is only doable by super user.

In Hive code, since it is code running the metastore server, I think it is running with enough permission to set owner/group. For Spark, we may not running it with super user.

@viirya viirya Jan 3, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Presto, looks like it takes the approach by listing all files/directories under the path to delete (i.e., rm -rf tablePath/*), and recursively deleting them:

https://github.com/prestodb/presto/blob/9c21aaa659f9d4927fe12bec4b8015c8cbf4722e/presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/SemiTransactionalHiveMetastore.java#L485

https://github.com/prestodb/presto/blob/9c21aaa659f9d4927fe12bec4b8015c8cbf4722e/presto-hive-metastore/src/main/java/com/facebook/presto/hive/metastore/SemiTransactionalHiveMetastore.java#L1796

@cloud-fan cloud-fan Jan 3, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the presto way seems safer to me.

@viirya viirya Jan 3, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was concerned with the presto way on performance regression. For a table which has many files/directories, deleting them one by one could be a bottleneck.

If we add a config for retaining permission/ACLs when truncating table? Users can choose to disable it and directly delete top directory (current behavior) without retaining permission/ACLs.


// We should keep original permission/acl of the path.
// For owner/group, only super-user can set it, for example on HDFS. Because
// current user can delete the path, we assume the user/group is correct or not an issue.
fs.mkdirs(path)
optPermission.foreach { permission =>
Try(fs.setPermission(path, permission)) match {
Comment thread
viirya marked this conversation as resolved.
Outdated
case Failure(e) =>
throw new AnalysisException(

@dongjoon-hyun dongjoon-hyun Jan 9, 2020
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ur, AnalysisException looks weird a little. This is not Analysis error.

@dongjoon-hyun dongjoon-hyun Jan 9, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, Exception is too risky behavior change. (@gatorsmile ).
I guess warning might be enough?

@viirya viirya Jan 9, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ur, AnalysisException looks weird a little. This is not Analysis error.

Ah, this follows throwing AnalysisException at the outside try..catch block. We can change this.

@viirya viirya Jan 9, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, Exception is too risky behavior change. (@gatorsmile ).
I guess warning might be enough?

For security reason, cannot set back original Acl/permission seems serious issue so Exception is thrown now. warning might be ignored and not noticed by users.

I'm ok with a warning if you all think it isn't an issue.

@viirya viirya Jan 9, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ur, AnalysisException looks weird a little. This is not Analysis error.

Maybe SparkException or RuntimeException?

@dongjoon-hyun dongjoon-hyun Jan 9, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • If this is for security, what about SecurityException?
  • If we need to raise an exception, shall we have a fallback configuration?

@viirya viirya Jan 9, 2020

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on previous discussion around #26956 (comment), we may not need a config.

SecurityException seems ok. cc @cloud-fan

@cloud-fan cloud-fan Jan 9, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SecurityException sounds good

s"Failed to set original permission $permission back to " +
s"the created path: $path. Exception: ${e.getMessage}")
case _ =>
}
}
optAcls.foreach { acls =>
Try(fs.setAcl(path, acls)) match {
case Failure(e) =>
throw new AnalysisException(

@dongjoon-hyun dongjoon-hyun Jan 9, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto.

s"Failed to set original ACL $acls back to " +
s"the created path: $path. Exception: ${e.getMessage}")
case _ =>
}
}
} catch {
case NonFatal(e) =>
throw new AnalysisException(
Expand Down
67 changes: 66 additions & 1 deletion sql/core/src/test/scala/org/apache/spark/sql/execution/command/DDLSuite.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ import java.io.{File, PrintWriter}
import java.net.URI
import java.util.Locale

import org.apache.hadoop.fs.Path
import org.apache.hadoop.fs.{Path, RawLocalFileSystem}
import org.apache.hadoop.fs.permission.{AclEntry, AclEntryScope, AclEntryType, AclStatus, FsAction, FsPermission}

import org.apache.spark.internal.config
import org.apache.spark.internal.config.RDD_PARALLEL_LISTING_THRESHOLD
Expand Down Expand Up @@ -1981,6 +1982,48 @@ abstract class DDLSuite extends QueryTest with SQLTestUtils {
}
}

test("truncate table - keep acl/permission") {
Comment thread
viirya marked this conversation as resolved.
Outdated
import testImplicits._

withSQLConf(
"fs.file.impl" -> classOf[FakeLocalFsFileSystem].getName,
"fs.file.impl.disable.cache" -> "true") {
withTable("tab1") {
sql("CREATE TABLE tab1 (col INT) USING parquet")
sql("INSERT INTO tab1 SELECT 1")
checkAnswer(spark.table("tab1"), Row(1))

val tablePath = new Path(spark.sessionState.catalog
.getTableMetadata(TableIdentifier("tab1")).storage.locationUri.get)

val hadoopConf = spark.sessionState.newHadoopConf()
val fs = tablePath.getFileSystem(hadoopConf)
val fileStatus = fs.getFileStatus(tablePath);

fs.setPermission(tablePath, new FsPermission("777"))
assert(fileStatus.getPermission().toString() == "rwxrwxrwx")

// Set ACL to table path.
val customAcl = new java.util.ArrayList[AclEntry]()
customAcl.add(new AclEntry.Builder()
.setType(AclEntryType.USER)
.setScope(AclEntryScope.ACCESS)
.setPermission(FsAction.READ).build())
fs.setAcl(tablePath, customAcl)
assert(fs.getAclStatus(tablePath).getEntries().get(0) == customAcl.get(0))

sql("TRUNCATE TABLE tab1")
assert(spark.table("tab1").collect().isEmpty)

val fileStatus2 = fs.getFileStatus(tablePath)
assert(fileStatus2.getPermission().toString() == "rwxrwxrwx")
val aclEntries = fs.getAclStatus(tablePath).getEntries()
assert(aclEntries.size() == 1)
assert(aclEntries.get(0) == customAcl.get(0))
}
}
}

test("create temporary view with mismatched schema") {
withTable("tab1") {
spark.range(10).write.saveAsTable("tab1")
Expand Down Expand Up @@ -2879,3 +2922,25 @@ abstract class DDLSuite extends QueryTest with SQLTestUtils {
}
}
}

object FakeLocalFsFileSystem {
var aclStatus = new AclStatus.Builder().build()
}

// A fake test local filesystem used to test ACL. It keeps a ACL status. If deletes
// a path of this filesystem, it will clean up the ACL status. Note that for test purpose,
// it has only one ACL status for all paths.
class FakeLocalFsFileSystem extends RawLocalFileSystem {
import FakeLocalFsFileSystem._

override def delete(f: Path, recursive: Boolean): Boolean = {
aclStatus = new AclStatus.Builder().build()
super.delete(f, recursive)
}

override def getAclStatus(path: Path): AclStatus = aclStatus

override def setAcl(path: Path, aclSpec: java.util.List[AclEntry]): Unit = {
aclStatus = new AclStatus.Builder().addEntries(aclSpec).build()
}
}