[
https://issues.apache.org/jira/browse/SENTRY-960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15007562#comment-15007562
]
Sravya Tirukkovalur commented on SENTRY-960:
--------------------------------------------
There is a work around: Setting the property
"hive.server2.builtin.udf.blacklist" to "reflect,reflect2,java_method" should
solve the problem.
We should probably document that these are the recommended values on our wiki.
Would also be good to make sure these are blocked from sentry by always
appending our blacklist to the user configured blacklist. (call
FunctionRegistry.setupPermissionsForBuiltinUDFs from the hook).
> Sentry no longer enforces it's whitelist
> ----------------------------------------
>
> Key: SENTRY-960
> URL: https://issues.apache.org/jira/browse/SENTRY-960
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Reporter: Ryan P
> Assignee: Ryan P
> Attachments: SENTRY-960.2.patch, SENTRY-960.3.patch,
> SENTRY-960.4.patch, SENTRY-960.4.patch, SENTRY-960.patch
>
>
> HiveSemanticAnalyzerHookContext no longer includes built-in functions as an
> input to it's Read Entities. This change hides built in functions from
> HiveAuthzBindingHook which is a huge security hole.
> Failing to enforce the whitelist will allow users to execute such functions
> as REFLECT and JAVA_METHOD.
> https://cwiki.apache.org/confluence/display/Hive/ReflectUDF
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
