[jira] [Commented] (SENTRY-1694) Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT

Wed, 05 Apr 2017 11:55:28 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-1694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15957437#comment-15957437
 ] 

Alexander Kolbasov commented on SENTRY-1694:
--------------------------------------------

The JIRA says: Hive/Sentry plugin doesn't check URI effectiveness". Later in 
the comment you say:

I noticed that the Hive/Sentry plugin checks if the URI is normalized during 
the CREATE FUNCTION command. If not, it will skip it and continue with other 
available URI.

So does it check it or not? Who should do the checking in this case - Hive or 
Sentry plugin?

If Hive is happy with the URI, is there a reason Sentry shouldn't be? Should 
Sentry be more strict then Hive in handling bad URIs?

> Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT
> ---------------------------------------------------------------------
>
>                 Key: SENTRY-1694
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1694
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hive Plugin
>    Affects Versions: 1.7.0
>            Reporter: Sergio Peña
>            Assignee: Sergio Peña
>            Priority: Minor
>
> Sentry doesn't check URI effectiveness when executing GRANT commands on Hive, 
> even though it requires full URI path in HDFS.
> GRANT is allowing users to provide any invalid URI paths, like below:
> {noformat}
> GRANT ALL ON URI "hdfs://hdfs://localhost:8020:8020///tmp/myjar.jar" TO ROLE 
> role1"
> {noformat}
> If the user attempts to create a function from the correct URI, then Sentry 
> won't find the URI and it will fail with a permission denied.
> {noformat}
> Error: Error while compiling statement: FAILED: SemanticException No valid 
> privileges
> User sergio does not have privileges for CREATEFUNCTION
> The required privileges: 
> Server=server1->URI=hdfs://localhost:8020/tmp/myjar.jar->action=*; 
> (state=42000,code=40000)
> {noformat}
> I noticed that the Hive/Sentry plugin checks if the URI is normalized during 
> the CREATE FUNCTION command. If not, it will skip it and continue with other 
> available URI.
> I think we should apply the same normalization check during the GRANT to at 
> least alert the user that URI might be wrong.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to