[ https://issues.apache.org/jira/browse/HIVE-26799?focusedWorklogId=830533&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-830533 ]
ASF GitHub Bot logged work on HIVE-26799: ----------------------------------------- Author: ASF GitHub Bot Created on: 02/Dec/22 06:14 Start Date: 02/Dec/22 06:14 Worklog Time Spent: 10m Work Description: saihemanth-cloudera commented on code in PR #3821: URL: https://github.com/apache/hive/pull/3821#discussion_r1037817687 ########## ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java: ########## @@ -12550,6 +12550,21 @@ private ParseResult rewriteASTWithMaskAndFilter(TableMask tableMask, ASTNode ast } } + void gatherUserSuppliedFunctions(ASTNode ast) { + int tokenType = ast.getToken().getType(); + if (tokenType == HiveParser.TOK_FUNCTION || + tokenType == HiveParser.TOK_FUNCTIONDI || + tokenType == HiveParser.TOK_FUNCTIONSTAR) { + if (ast.getChild(0).getType() == HiveParser.Identifier) { + // maybe user supplied + this.userSuppliedFunctions.add(ast.getChild(0).getText()); Review Comment: I think this is the way to set field variables into the semantic analyzer object. Only then I can retrieve it in the `CommandAuthorizerV2` class ########## ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java: ########## @@ -12550,6 +12550,21 @@ private ParseResult rewriteASTWithMaskAndFilter(TableMask tableMask, ASTNode ast } } + void gatherUserSuppliedFunctions(ASTNode ast) { + int tokenType = ast.getToken().getType(); + if (tokenType == HiveParser.TOK_FUNCTION || + tokenType == HiveParser.TOK_FUNCTIONDI || + tokenType == HiveParser.TOK_FUNCTIONSTAR) { + if (ast.getChild(0).getType() == HiveParser.Identifier) { + // maybe user supplied Review Comment: Ack ########## ql/src/java/org/apache/hadoop/hive/ql/parse/BaseSemanticAnalyzer.java: ########## @@ -1438,6 +1442,10 @@ public void setUpdateColumnAccessInfo(ColumnAccessInfo updateColumnAccessInfo) { this.updateColumnAccessInfo = updateColumnAccessInfo; } + public Set<String> getUserSuppliedFunctions() { Review Comment: Ack ########## common/src/java/org/apache/hadoop/hive/conf/HiveConf.java: ########## @@ -3599,6 +3599,9 @@ public static enum ConfVars { HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS("hive.security.authorization.tables.on.storagehandlers", true, "Enables authorization on tables with custom storage handlers as implemented by HIVE-24705. " + "Default setting is true. Useful for turning the feature off if the corresponding ranger patch is missing."), + HIVE_AUTHORIZATION_FUNCTIONS_IN_VIEW("hive.security.authorization.functions.in.view", true, "" + Review Comment: Ack Issue Time Tracking ------------------- Worklog Id: (was: 830533) Time Spent: 0.5h (was: 20m) > Make authorizations on custom UDFs involved in tables/view configurable. > ------------------------------------------------------------------------ > > Key: HIVE-26799 > URL: https://issues.apache.org/jira/browse/HIVE-26799 > Project: Hive > Issue Type: New Feature > Components: HiveServer2, Security > Affects Versions: 4.0.0-alpha-2 > Reporter: Sai Hemanth Gantasala > Assignee: Sai Hemanth Gantasala > Priority: Major > Labels: pull-request-available > Time Spent: 0.5h > Remaining Estimate: 0h > > When Hive is using Ranger/Sentry as an authorization service, consider the > following scenario. > {code:java} > > create table test_udf(st string); // privileged user operation > > create function Udf_UPPER as 'openkb.hive.udf.MyUpper' using jar > > 'hdfs:///tmp/MyUpperUDF-1.0.0.jar'; // privileged user operation > > create view v1_udf as select udf_upper(st) from test_udf; // privileged > > user operation > //unprivileged user test_user is given select permissions on view v1_udf > > select * from v1_udf; {code} > It is expected that test_user needs to have select privilege on v1_udf and > select permissions on udf_upper custom UDF in order to do a select query on > view. > This patch introduces a configuration > "hive.security.authorization.functions.in.view"=false which disables > authorization on views associated with views/tables during the select query. > In this mode, only UDFs explicitly stated in the query would still be > authorized as it is currently. > The reason for making these custom UDFs associated with view/tables > authorizable is that currently, test_user will need to be granted select > permissions on the custom udf. and the test_user can use this UDF and query > against any other table, which is a security concern. -- This message was sent by Atlassian Jira (v8.20.10#820010)