sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Istvan Vajnorak (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SENTRY-1034) Security leak in beeline connect command
Date Thu, 28 Jan 2016 17:19:39 GMT
Istvan Vajnorak created SENTRY-1034:
---------------------------------------

             Summary: Security leak in beeline connect command
                 Key: SENTRY-1034
                 URL: https://issues.apache.org/jira/browse/SENTRY-1034
             Project: Sentry
          Issue Type: Bug
          Components: Core
            Reporter: Istvan Vajnorak


A possible info leak in the way how beeline connects to databases and uses the ACLs to prevent
seeing unauthorised databases and tables.

It turns out that one can connect to a database that one should not see, but listing it afterwards
gives no tables. This is still somewhat a security breach as an attacker can gain insight
what databases exist.

The way the problem got identified:
root@prod-vm-cdh-mgr-01 ~]# kinit -kt ~/allianz_mval.keytab allianz_mval 
[root@prod-vm-cdh-mgr-01 ~]# beeline 
Beeline version 1.1.0-cdh5.4.8 by Apache Hive 
beeline> !connect jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC 
scan complete in 6ms 
Connecting to jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC 
Enter username for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC: 
Enter password for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC: 
Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
Transaction isolation: TRANSACTION_REPEATABLE_READ 
0: jdbc:hive2://vm-cdh-01:10000/srive> show databases; 
-----------------+
database_name
-----------------+
allianz_mvaldb
default
-----------------+ 
2 rows selected (0.726 seconds) 
0: jdbc:hive2://vm-cdh-01:10000/srive> show tables; 
-----------+
tab_name
-----------+ 
-----------+ 
No rows selected (1.033 seconds) 
0: jdbc:hive2://vm-cdh-01:10000/srive> !quit 
Closing: 0: jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC 
[root@prod-vm-cdh-mgr-01 ~]# beeline 
Beeline version 1.1.0-cdh5.4.8 by Apache Hive 
beeline> !connect jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC

scan complete in 2ms 
Connecting to jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC 
Enter username for jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:

Enter password for jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:

Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
Transaction isolation: TRANSACTION_REPEATABLE_READ 
0: jdbc:hive2://vm-cdh-01:10000/asdas> show tables; 
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask.
Database does not exist: asdasdasdasd (state=08S01,code=1) 
0: jdbc:hive2://vm-cdh-01:10000/asdas> !connect jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC

Connecting to jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC 
Enter username for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC: 
Enter password for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC: 
Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
Transaction isolation: TRANSACTION_REPEATABLE_READ 
1: jdbc:hive2://vm-cdh-01:10000/srive> show tables; 
-----------+
tab_name
-----------+ 
-----------+ 
No rows selected (1.09 seconds) 
1: jdbc:hive2://vm-cdh-01:10000/srive> 
1: jdbc:hive2://vm-cdh-01:10000/srive> 
1: jdbc:hive2://vm-cdh-01:10000/srive> 
1: jdbc:hive2://vm-cdh-01:10000/srive> 
1: jdbc:hive2://vm-cdh-01:10000/srive> 
1: jdbc:hive2://vm-cdh-01:10000/srive> !quit; 
Unknown command: quit; 
1: jdbc:hive2://vm-cdh-01:10000/srive> !quit; 
Unknown command: quit; 
1: jdbc:hive2://vm-cdh-01:10000/srive> !quit



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message