ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Bosco Durai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-738) Server-wide control over TRANSFORM clause in Hive
Date Tue, 01 Dec 2015 19:10:11 GMT

    [ https://issues.apache.org/jira/browse/RANGER-738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15034380#comment-15034380
] 

Don Bosco Durai commented on RANGER-738:
----------------------------------------

Yes, the key issue is that you can run system commands. These commands will run as user "hive"
in HiveServer2, unless we fork another process and run it as the end user (similar to YARN).





> Server-wide control over TRANSFORM clause in Hive
> -------------------------------------------------
>
>                 Key: RANGER-738
>                 URL: https://issues.apache.org/jira/browse/RANGER-738
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>            Reporter: Scott C Gray
>              Labels: features, security
>
> The TRANSFORM statement in Hive is a big security hole with Hive run without impersonation,
so when SQL Standard Authorization is enabled, the feature id completely disabled which is
a bit of a sledgehammer approach to securing this statement.
> Sentry added support for restricting this statement at a per-user/group level, which
should be adopted by Ranger.
> https://issues.apache.org/jira/browse/SENTRY-598



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message