Sergio Peña created SENTRY-1694:
-----------------------------------
Summary: Hive/Sentry plugin doesn't check URI effectiveness when
calling GRANT
Key: SENTRY-1694
URL: https://issues.apache.org/jira/browse/SENTRY-1694
Project: Sentry
Issue Type: Bug
Components: Hive Plugin
Affects Versions: 1.7.0
Reporter: Sergio Peña
Assignee: Sergio Peña
Priority: Minor
Sentry doesn't check URI effectiveness when executing GRANT commands on Hive,
even though it requires full URI path in HDFS.
GRANT is allowing users to provide any invalid URI paths, like below:
{noformat}
GRANT ALL ON URI "hdfs://hdfs://localhost:8020:8020///tmp/myjar.jar" TO ROLE
role1"
{noformat}
If the user attempts to create a function from the correct URI, then Sentry
won't find the URI and it will fail with a permission denied.
{noformat}
Error: Error while compiling statement: FAILED: SemanticException No valid
privileges
User sergio does not have privileges for CREATEFUNCTION
The required privileges:
Server=server1->URI=hdfs://localhost:8020/tmp/myjar.jar->action=*;
(state=42000,code=40000)
{noformat}
I noticed that the Hive/Sentry plugin checks if the URI is normalized during
the CREATE FUNCTION command. If not, it will skip it and continue with other
available URI.
I think we should apply the same normalization check during the GRANT to at
least alert the user that URI might be wrong.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
