Re: Review Request 48055: SENTRY-1209: Sentry does not block Hive's cross-schema table renames

Colin Ma Sun, 05 Jun 2016 23:50:55 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48055/
-----------------------------------------------------------


(Updated June 6, 2016, 6:49 a.m.)


Review request for sentry and Sravya Tirukkovalur.


Repository: sentry


Description
-------

User Pete 
has read-write access to schema A
has read-only access to schema B

User Pete nevertheless was able to rename/move Hive table 
from schema A to schema B (where he has read-only access):

{quote}
use A;
alter table table_a rename to B.table_a;
{quote}

Hive allows to use rename table syntax to move tables across schemas, not just 
rename.

Sentry does not check security boundaries in this case.


Diffs (updated)
-----

  
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java
 dd16960 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
 a13ab79 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
 6c9f223 
  
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java
 767bcbe 
  
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
 8eb2851 

Diff: https://reviews.apache.org/r/48055/diff/


Testing
-------


Thanks,

Colin Ma

Re: Review Request 48055: SENTRY-1209: Sentry does not block Hive's cross-schema table renames

Reply via email to