[
https://issues.apache.org/jira/browse/HIVE-4887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13850583#comment-13850583
]
Brock Noland commented on HIVE-4887:
------------------------------------
bq. It should be possible to to disable create function as well.
I would kindly suggest the following:
1) have a whitelist of UDFs which can be used when authorization is enabled as
some UDFs are insecure by default - java_method() or transform().
2) Add a URI privilege where admin's can give users permission to vetted jars.
Then when someone creates a UDF you can verify the class exists in a jar they
privilege to access.
> hive should have an option to disable non sql commands that impose security
> risk
> --------------------------------------------------------------------------------
>
> Key: HIVE-4887
> URL: https://issues.apache.org/jira/browse/HIVE-4887
> Project: Hive
> Issue Type: Sub-task
> Components: Authorization, Security
> Reporter: Thejas M Nair
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> Hive's RDBMS style of authorization (using grant/revoke), relies on all data
> access being done through hive select queries. But hive also supports running
> dfs commands, shell commands (eg "!cat file"), and shell commands through
> hive streaming.
> This creates problems in securing a hive server using this authorization
> model. UDF is another way to write custom code that can compromise security,
> but you can control that by restricting access to users to be only through
> jdbc connection to hive server (2).
> (note that there are other major problems such as this one - HIVE-3271)
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
