[jira] [Commented] (SENTRY-1694) Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT

Wed, 05 Apr 2017 15:13:15 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-1694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15957854#comment-15957854
 ] 

Sergio Peña commented on SENTRY-1694:
-------------------------------------

The check happens on the Sentry plugin (client) when Hive CREATE FUNCTION 
requests permissions to Sentry about a specific URI. The Sentry plugin (client) 
requests all URI objects from the Sentry server, and then for each URI the 
Sentry plugin checks if it is normalized. If it is not normalized, then it 
skips it (without attempting to find a match) and continues with the next URI.

When the GRANT PRIVILEGE ON URI is executed previous to the CREATE FUNCTION, 
then the Sentry plugin (client) only sends the URI path to the Sentry server. 
It does not check anything. I think we could use the same normalization check 
in this part as an early error check.

> Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT
> ---------------------------------------------------------------------
>
>                 Key: SENTRY-1694
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1694
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hive Plugin
>    Affects Versions: 1.7.0
>            Reporter: Sergio Peña
>            Assignee: Sergio Peña
>            Priority: Minor
>
> Sentry doesn't check URI effectiveness when executing GRANT commands on Hive, 
> even though it requires full URI path in HDFS.
> GRANT is allowing users to provide any invalid URI paths, like below:
> {noformat}
> GRANT ALL ON URI "hdfs://hdfs://localhost:8020:8020///tmp/myjar.jar" TO ROLE 
> role1"
> {noformat}
> If the user attempts to create a function from the correct URI, then Sentry 
> won't find the URI and it will fail with a permission denied.
> {noformat}
> Error: Error while compiling statement: FAILED: SemanticException No valid 
> privileges
> User sergio does not have privileges for CREATEFUNCTION
> The required privileges: 
> Server=server1->URI=hdfs://localhost:8020/tmp/myjar.jar->action=*; 
> (state=42000,code=40000)
> {noformat}
> I noticed that the Hive/Sentry plugin checks if the URI is normalized during 
> the CREATE FUNCTION command. If not, it will skip it and continue with other 
> available URI.
> I think we should apply the same normalization check during the GRANT to at 
> least alert the user that URI might be wrong.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to