[
https://issues.apache.org/jira/browse/SENTRY-960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014760#comment-15014760
]
Sravya Tirukkovalur commented on SENTRY-960:
--------------------------------------------
Above patch adds the risky commands into blacklist and whitelist is empty.
Which means all other commands are allowed.
For the following reasons, looks like taking whitelisting approach seems like
is the right approach:
1. Use whitelist.
Pro: Gives protection from potentially risky commands added in future
Con: Commands added in future will have to be added explicitly.
2. Use blacklist
Pro: Code is simpler, as we just blacklist reflect,reflect2,java_method
Con: New risky commands are allowed until we make an explicit change in Sentry.
Thoughts [~lskuff], [~Ryan P], [~hahao]?
> Sentry no longer enforces it's whitelist
> ----------------------------------------
>
> Key: SENTRY-960
> URL: https://issues.apache.org/jira/browse/SENTRY-960
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Reporter: Ryan P
> Assignee: Ryan P
> Attachments: SENTRY-960.2.patch, SENTRY-960.3.patch,
> SENTRY-960.4.patch, SENTRY-960.4.patch, SENTRY-960.5.patch,
> SENTRY-960.6.patch, SENTRY-960.7.patch, SENTRY-960.8.patch, SENTRY-960.patch
>
>
> HiveSemanticAnalyzerHookContext no longer includes built-in functions as an
> input to it's Read Entities. This change hides built in functions from
> HiveAuthzBindingHook which is a huge security hole.
> Failing to enforce the whitelist will allow users to execute such functions
> as REFLECT and JAVA_METHOD.
> https://cwiki.apache.org/confluence/display/Hive/ReflectUDF
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
