[
https://issues.apache.org/jira/browse/HIVE-5253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13782220#comment-13782220
]
Brock Noland commented on HIVE-5253:
------------------------------------
Hey Ashutosh,
Upon first look I had the same concern. Then after thinking about it, I don't
see how this is different than the TRANSFORM() or normal UDF functionality.
That is by default users can execute arbitrary code and this work doesn't
change that. From a Sentry perspective, this would have to be disabled due to
it's execution model (i.e. executing as the hive user).
You did remind me that I forgot one comment I was thinking of. I think we
should afford admins who want to disable this functionality the ability to do
so. Since such admins might want to disable other commands such as add or dfs,
it wouldn't be much trouble to allow them to do this as well. For example we
could have a configuration option "hive.available.commands" (or similar) which
specified add,set,delete,reset, etc by default. Then check this value in
CommandProcessorFactory. It would probably make sense to add this property to
the restrict list.
Also regarding my comment above "It looks like something is wrong with
TestCompileProcessor in the patch? Look how the class appears to be
concatenated to itself?" I see I was looking at v9 not v10. That item should be
ignored.
> Create component to compile and jar dynamic code
> ------------------------------------------------
>
> Key: HIVE-5253
> URL: https://issues.apache.org/jira/browse/HIVE-5253
> Project: Hive
> Issue Type: Sub-task
> Reporter: Edward Capriolo
> Assignee: Edward Capriolo
> Attachments: HIVE-5253.10.patch.txt, HIVE-5253.1.patch.txt,
> HIVE-5253.3.patch.txt, HIVE-5253.3.patch.txt, HIVE-5253.3.patch.txt,
> HIVE-5253.8.patch.txt, HIVE-5253.9.patch.txt, HIVE-5253.patch.txt
>
>
--
This message was sent by Atlassian JIRA
(v6.1#6144)
