[
https://issues.apache.org/jira/browse/SENTRY-781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Lin updated SENTRY-781:
----------------------------
Description:
When user has no access to a particular database, he/she is still able to
create permanent function in it.
For example, a role has no access to database "udf_test", as show by the "show
databases" command:
+----------------+--+
| database_name |
+----------------+--+
| default |
+----------------+--+
However, this role can do the following two things:
0: jdbc:hive2://10.17.74.148:10000/default> create function udf_test.upper_test
as 'com.elin.ToUpper';
No rows affected (0.216 seconds)
The jar file has been loaded into aux directory for Hive.
0: jdbc:hive2://10.17.74.148:10000/default> select udf_test.upper_test(code)
from sample_07 limit 10;
INFO : Number of reduce tasks is set to 0 since there's no reduce operator
WARN : Hadoop command-line option parsing not performed. Implement the Tool
interface and execute your application with ToolRunner to remedy this.
INFO : number of splits:1
INFO : Submitting tokens for job: job_1434092815442_0004
INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident:
(HDFS_DELEGATION_TOKEN token 24 for hive)
INFO : The url to track the job:
http://host:8088/proxy/application_1434092815442_0004/
INFO : Starting Job = job_1434092815442_0004, Tracking URL =
http://host:8088/proxy/application_1434092815442_0004/
INFO : Kill Command =
/opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job
-kill job_1434092815442_0004
INFO : Hadoop job information for Stage-1: number of mappers: 1; number of
reducers: 0
INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0%
INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative
CPU 3.16 sec
INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec
INFO : Ended Job = job_1434092815442_0004
This violates the sentry permission mechanism.
was:
When user has no access to a particular database, he/she is still able to
create permanent function in it.
For example, a role has no access to database "udf_test", as show by the "show
databases" command:
+----------------+--+
| database_name |
+----------------+--+
| default |
+----------------+--+
However, this role can do the following two things:
0: jdbc:hive2://10.17.74.148:10000/default> create function udf_test.upper_test
as 'com.elin.ToUpper';
No rows affected (0.216 seconds)
The jar file has been loaded into aux directory for Hive.
0: jdbc:hive2://10.17.74.148:10000/default> select udf_test.upper_test(code)
from sample_07 limit 10;
INFO : Number of reduce tasks is set to 0 since there's no reduce operator
WARN : Hadoop command-line option parsing not performed. Implement the Tool
interface and execute your application with ToolRunner to remedy this.
INFO : number of splits:1
INFO : Submitting tokens for job: job_1434092815442_0004
INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident:
(HDFS_DELEGATION_TOKEN token 24 for hive)
INFO : The url to track the job:
http://host-10-17-74-148.coe.cloudera.com:8088/proxy/application_1434092815442_0004/
INFO : Starting Job = job_1434092815442_0004, Tracking URL =
http://host-10-17-74-148.coe.cloudera.com:8088/proxy/application_1434092815442_0004/
INFO : Kill Command =
/opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job
-kill job_1434092815442_0004
INFO : Hadoop job information for Stage-1: number of mappers: 1; number of
reducers: 0
INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0%
INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative
CPU 3.16 sec
INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec
INFO : Ended Job = job_1434092815442_0004
This violates the sentry permission mechanism.
> User can create/run function under a database that he/she has no access
> -----------------------------------------------------------------------
>
> Key: SENTRY-781
> URL: https://issues.apache.org/jira/browse/SENTRY-781
> Project: Sentry
> Issue Type: Bug
> Components: Hive Plugin
> Affects Versions: 1.4.0
> Reporter: Eric Lin
>
> When user has no access to a particular database, he/she is still able to
> create permanent function in it.
> For example, a role has no access to database "udf_test", as show by the
> "show databases" command:
> +----------------+--+
> | database_name |
> +----------------+--+
> | default |
> +----------------+--+
> However, this role can do the following two things:
> 0: jdbc:hive2://10.17.74.148:10000/default> create function
> udf_test.upper_test as 'com.elin.ToUpper';
> No rows affected (0.216 seconds)
> The jar file has been loaded into aux directory for Hive.
> 0: jdbc:hive2://10.17.74.148:10000/default> select udf_test.upper_test(code)
> from sample_07 limit 10;
> INFO : Number of reduce tasks is set to 0 since there's no reduce operator
> WARN : Hadoop command-line option parsing not performed. Implement the Tool
> interface and execute your application with ToolRunner to remedy this.
> INFO : number of splits:1
> INFO : Submitting tokens for job: job_1434092815442_0004
> INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident:
> (HDFS_DELEGATION_TOKEN token 24 for hive)
> INFO : The url to track the job:
> http://host:8088/proxy/application_1434092815442_0004/
> INFO : Starting Job = job_1434092815442_0004, Tracking URL =
> http://host:8088/proxy/application_1434092815442_0004/
> INFO : Kill Command =
> /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job
> -kill job_1434092815442_0004
> INFO : Hadoop job information for Stage-1: number of mappers: 1; number of
> reducers: 0
> INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0%
> INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative
> CPU 3.16 sec
> INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec
> INFO : Ended Job = job_1434092815442_0004
> This violates the sentry permission mechanism.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
