[jira] [Work logged] (HIVE-26799) Make authorizations on custom UDFs involved in tables/view configurable.

ASF GitHub Bot (Jira) Thu, 01 Dec 2022 11:30:30 -0800


     [ 
https://issues.apache.org/jira/browse/HIVE-26799?focusedWorklogId=830439&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-830439
 ]


ASF GitHub Bot logged work on HIVE-26799:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/Dec/22 19:29
            Start Date: 01/Dec/22 19:29
    Worklog Time Spent: 10m 
      Work Description: jfsii commented on code in PR #3821:
URL: https://github.com/apache/hive/pull/3821#discussion_r1037478327


##########
ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java:
##########
@@ -12550,6 +12550,21 @@ private ParseResult 
rewriteASTWithMaskAndFilter(TableMask tableMask, ASTNode ast
     }
   }
 
+  void gatherUserSuppliedFunctions(ASTNode ast) {
+    int tokenType = ast.getToken().getType();
+    if (tokenType == HiveParser.TOK_FUNCTION ||
+            tokenType == HiveParser.TOK_FUNCTIONDI ||
+            tokenType == HiveParser.TOK_FUNCTIONSTAR) {
+      if (ast.getChild(0).getType() == HiveParser.Identifier) {
+        // maybe user supplied
+        this.userSuppliedFunctions.add(ast.getChild(0).getText());

Review Comment:
   I'm not sure of Hive's stance on this - but I usually only use this when 
forced to. Like in a setter in which the in parameter is named the same as the 
object variable. Feel free to ignore if you disagree.



##########
ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java:
##########
@@ -12550,6 +12550,21 @@ private ParseResult 
rewriteASTWithMaskAndFilter(TableMask tableMask, ASTNode ast
     }
   }
 
+  void gatherUserSuppliedFunctions(ASTNode ast) {
+    int tokenType = ast.getToken().getType();
+    if (tokenType == HiveParser.TOK_FUNCTION ||
+            tokenType == HiveParser.TOK_FUNCTIONDI ||
+            tokenType == HiveParser.TOK_FUNCTIONSTAR) {
+      if (ast.getChild(0).getType() == HiveParser.Identifier) {
+        // maybe user supplied

Review Comment:
   Go ahead and remove this comment, I'm not sure why I added it.



##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java:
##########
@@ -139,6 +139,13 @@ private static List<HivePrivilegeObject> 
getHivePrivObjects(List<? extends Entit
         continue;
       }
 
+      if (privObject.getTyp() == Type.FUNCTION && 
!HiveConf.getBoolVar(SessionState.get().getConf(),
+              HiveConf.ConfVars.HIVE_AUTHORIZATION_FUNCTIONS_IN_VIEW) && 
hiveOpType == HiveOperationType.QUERY) {
+        if 
(!sem.getUserSuppliedFunctions().contains(privObject.getFunctionName())) {
+          continue;

Review Comment:
   Is it possible to add test cases that show the behavior in a couple of cases 
(maybe similar to the authorization_view_*.q tests?). Ideally - I would like to 
see a query with a user supplied udf with a table, a view, and see how it also 
interacts with MVs. Ideally the q.out file would show which objects are being 
sent for authorization so it can catch the regression on when it sends an extra 
UDFs for auth (or doesn't send the user supplied one for auth).



##########
ql/src/java/org/apache/hadoop/hive/ql/parse/BaseSemanticAnalyzer.java:
##########
@@ -1438,6 +1442,10 @@ public void setUpdateColumnAccessInfo(ColumnAccessInfo 
updateColumnAccessInfo) {
     this.updateColumnAccessInfo = updateColumnAccessInfo;
   }
 
+  public Set<String> getUserSuppliedFunctions() {

Review Comment:
   Maybe add java doc with a note that it contains user supplied functions - 
and note that it doesn't contain UDFs defined in views, etc.



##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java:
##########
@@ -98,7 +98,7 @@ private static void addPermanentFunctionEntities(SessionState 
ss, List<ReadEntit
   }
 
   private static List<HivePrivilegeObject> getHivePrivObjects(List<? extends 
Entity> privObjects,
-      Map<String, List<String>> tableName2Cols, HiveOperationType hiveOpType) 
throws HiveException {
+      Map<String, List<String>> tableName2Cols, HiveOperationType hiveOpType, 
BaseSemanticAnalyzer sem) throws HiveException {
     List<HivePrivilegeObject> hivePrivobjs = new 
ArrayList<HivePrivilegeObject>();
     if (privObjects == null){

Review Comment:
   nit: If I was editing this method - I would maybe consider making the format 
uniform within in it.
   I.E. it seems to have at least 3 different coding styles.
   if (conditional){
   if(conditional){
   if (conditional) {



##########
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java:
##########
@@ -3599,6 +3599,9 @@ public static enum ConfVars {
     
HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS("hive.security.authorization.tables.on.storagehandlers",
 true,
         "Enables authorization on tables with custom storage handlers as 
implemented by HIVE-24705. " +
         "Default setting is true. Useful for turning the feature off if the 
corresponding ranger patch is missing."),
+    
HIVE_AUTHORIZATION_FUNCTIONS_IN_VIEW("hive.security.authorization.functions.in.view",
 true, "" +

Review Comment:
   Is the "" + needed?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 830439)
    Time Spent: 20m  (was: 10m)

> Make authorizations on custom UDFs involved in tables/view configurable.
> ------------------------------------------------------------------------
>
>                 Key: HIVE-26799
>                 URL: https://issues.apache.org/jira/browse/HIVE-26799
>             Project: Hive
>          Issue Type: New Feature
>          Components: HiveServer2, Security
>    Affects Versions: 4.0.0-alpha-2
>            Reporter: Sai Hemanth Gantasala
>            Assignee: Sai Hemanth Gantasala
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When Hive is using Ranger/Sentry as an authorization service, consider the 
> following scenario.
> {code:java}
> > create table test_udf(st string);   // privileged user operation 
> > create function Udf_UPPER as 'openkb.hive.udf.MyUpper' using jar 
> > 'hdfs:///tmp/MyUpperUDF-1.0.0.jar'; // privileged user operation
> > create view v1_udf as select udf_upper(st) from test_udf; // privileged 
> > user operation
> //unprivileged user test_user is given select permissions on view v1_udf
> > select * from v1_udf;  {code}
> It is expected that test_user needs to have select privilege on v1_udf and 
> select permissions on udf_upper custom UDF in order to do a select query on 
> view. 
> This patch introduces a configuration 
> "hive.security.authorization.functions.in.view"=false which disables 
> authorization on views associated with views/tables during the select query. 
> In this mode, only UDFs explicitly stated in the query would still be 
> authorized as it is currently.
> The reason for making these custom UDFs associated with view/tables 
> authorizable is that currently, test_user will need to be granted select 
> permissions on the custom udf. and the test_user can use this UDF and query 
> against any other table, which is a security concern.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (HIVE-26799) Make authorizations on custom UDFs involved in tables/view configurable.

Reply via email to