hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alok Lal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-11988) [hive] security issue with hive & ranger for import table command
Date Tue, 08 Dec 2015 17:58:11 GMT

    [ https://issues.apache.org/jira/browse/HIVE-11988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15047157#comment-15047157
] 

Alok Lal commented on HIVE-11988:
---------------------------------

While testing [the Ranger patch|https://reviews.apache.org/r/41067/] I submitted to mimic
these changes (RANGER-772), I see that the {{checkPrivilages}} call for IMPORT when import
would create a table does not include the table name in it.  [~madhan.neethiraj], one of the
reviewers of that patch observed that this could lead to following two potential usability
issues:
# In Ranger a user's access privileges can be specified using wildcards. Say, a user in finance
department has been given create privileges at the database level for any table that starts
with fin, i.e. {{fin*}}. If such a user attempts to import a table named, say, {{fintemp}}
then that operation would fail since we currently require database level privilege.
# Ranger audits various user actions. Since table name isn't specified we can't record which
table was got created. In some cases this could be inferred from the command string passed
that is into the {{checkPrivilages}} (which we store off in our audit). However, when {{IMPORT}}
does not specify the table name then in that case that information may not be readily available
to user.

> [hive] security issue with hive & ranger for import table command
> -----------------------------------------------------------------
>
>                 Key: HIVE-11988
>                 URL: https://issues.apache.org/jira/browse/HIVE-11988
>             Project: Hive
>          Issue Type: Bug
>          Components: Hive
>    Affects Versions: 0.14.0, 1.2.1
>            Reporter: Deepak Sharma
>            Assignee: Sushanth Sowmyan
>            Priority: Critical
>             Fix For: 1.3.0, 2.0.0, 1.2.2
>
>         Attachments: HIVE-11988.2.patch, HIVE-11988.3.patch, HIVE-11988.4.patch, HIVE-11988.5.patch,
HIVE-11988.patch, authorization_uri_import_q_hive.log, authorization_uri_import_q_output.txt
>
>
> if a user does not have permission to create table in hive , then if the same user import
data for a table using following command then , it will have to create table also and that
is working successfully , ideally it should not work
> STR:
> ====
> 1. put some raw data in hdfs path /user/user1/tempdata
> 2. in ranger check policy , user1 should not have any permission on any table
> 3. login through user1 into beeline ( obviously it will fail since user doesnt have permission
to create table)
> create table tt1(id INT,ff String);
> FAILED: HiveAccessControlException Permission denied: user user1 does not have CREATE
privilege on default/tt1 (state=42000,code=40000)
> 4. now try following command to import data into a table ( table should not exist already)
> import table tt1 from '/user/user1/tempdata';
> ER:
> since user1 doesnt have permission to create table so this operation should fail
> AR:
> table is created successfully and data is also imported !!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message