[
https://issues.apache.org/jira/browse/SENTRY-960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014763#comment-15014763
]
Sravya Tirukkovalur commented on SENTRY-960:
--------------------------------------------
[~Ryan P], looks like you have taken the whitelist approach in your earlier
patch (6), would you mind updating the whitelist to include other operators and
fixing the test failures? Let me know if you want me to pick it up. Seems like
we need to fix this sooner.
> Sentry no longer enforces it's whitelist
> ----------------------------------------
>
> Key: SENTRY-960
> URL: https://issues.apache.org/jira/browse/SENTRY-960
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Reporter: Ryan P
> Assignee: Ryan P
> Attachments: SENTRY-960.2.patch, SENTRY-960.3.patch,
> SENTRY-960.4.patch, SENTRY-960.4.patch, SENTRY-960.5.patch,
> SENTRY-960.6.patch, SENTRY-960.7.patch, SENTRY-960.8.patch, SENTRY-960.patch
>
>
> HiveSemanticAnalyzerHookContext no longer includes built-in functions as an
> input to it's Read Entities. This change hides built in functions from
> HiveAuthzBindingHook which is a huge security hole.
> Failing to enforce the whitelist will allow users to execute such functions
> as REFLECT and JAVA_METHOD.
> https://cwiki.apache.org/confluence/display/Hive/ReflectUDF
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
