sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anne Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-1034) Security leak in beeline connect command
Date Thu, 28 Jan 2016 19:12:40 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122131#comment-15122131
] 

Anne Yu commented on SENTRY-1034:
---------------------------------

Hi [~Bearricade], is that possible you could provide more information here? I've seen this
once recently, but couldn't reproduce it. If you can provide more details, that would be very
helpful.

1) what kind of privileges user allianz_mval has? you can post show grant role role_name on
object results here.

2) does this happen only for this user or any other user? does this happen occasionally or
always reproducible?

3) does asdasdasdasd exist? or just a trash string. 

Thanks a lot!

> Security leak in beeline connect command
> ----------------------------------------
>
>                 Key: SENTRY-1034
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1034
>             Project: Sentry
>          Issue Type: Bug
>          Components: Core
>            Reporter: Istvan Vajnorak
>
> A possible info leak in the way how beeline connects to databases and uses the ACLs to
prevent seeing unauthorised databases and tables.
> It turns out that one can connect to a database that one should not see, but listing
it afterwards gives no tables. This is still somewhat a security breach as an attacker can
gain insight what databases exist.
> The way the problem got identified:
> root@prod-vm-cdh-mgr-01 ~]# kinit -kt ~/allianz_mval.keytab allianz_mval 
> [root@prod-vm-cdh-mgr-01 ~]# beeline 
> Beeline version 1.1.0-cdh5.4.8 by Apache Hive 
> beeline> !connect jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC

> scan complete in 6ms 
> Connecting to jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC 
> Enter username for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:

> Enter password for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:

> Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
> Transaction isolation: TRANSACTION_REPEATABLE_READ 
> 0: jdbc:hive2://vm-cdh-01:10000/srive> show databases; 
> -----------------+
> database_name
> -----------------+
> allianz_mvaldb
> default
> -----------------+ 
> 2 rows selected (0.726 seconds) 
> 0: jdbc:hive2://vm-cdh-01:10000/srive> show tables; 
> -----------+
> tab_name
> -----------+ 
> -----------+ 
> No rows selected (1.033 seconds) 
> 0: jdbc:hive2://vm-cdh-01:10000/srive> !quit 
> Closing: 0: jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC 
> [root@prod-vm-cdh-mgr-01 ~]# beeline 
> Beeline version 1.1.0-cdh5.4.8 by Apache Hive 
> beeline> !connect jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC

> scan complete in 2ms 
> Connecting to jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC 
> Enter username for jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:

> Enter password for jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:

> Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
> Transaction isolation: TRANSACTION_REPEATABLE_READ 
> 0: jdbc:hive2://vm-cdh-01:10000/asdas> show tables; 
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask. Database does not exist: asdasdasdasd (state=08S01,code=1)

> 0: jdbc:hive2://vm-cdh-01:10000/asdas> !connect jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC

> Connecting to jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC 
> Enter username for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:

> Enter password for jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:

> Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
> Transaction isolation: TRANSACTION_REPEATABLE_READ 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> show tables; 
> -----------+
> tab_name
> -----------+ 
> -----------+ 
> No rows selected (1.09 seconds) 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> !quit; 
> Unknown command: quit; 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> !quit; 
> Unknown command: quit; 
> 1: jdbc:hive2://vm-cdh-01:10000/srive> !quit



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message