[jira] [Commented] (SENTRY-1694) Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT

[JIRA]

    [ 
https://issues.apache.org/jira/browse/SENTRY-1694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969236#comment-15969236
 ] 

Sergio Peña commented on SENTRY-1694:
-------------------------------------

I dug more into this issue and found out that the URI normalization is only 
checked by the {{DBWildCardPrivilege}} class but Kafka and Search 
implementations. 

It makes sense that when Hive attempts to call {{CREATE FUNCTION}}, then the 
Sentry client side checks for authorization on the URI returned by the Sentry 
server by calling the {{DBWildCardPrivilege.implies()}} method. This 
{{implies}} method will normalize the URI during internal private methods 
calls, and it will return a YES or NO at the end.

This {{DBWildCardPrivilege}} is only used if you specify 
{{SimpleDBPolicyEngine}} in the "sentry.hive.policy.engine" configuration.

Doing the normalization check during the {{GRANT ALL ON URI}} might work if you 
only use Hive all the time. But, my question now is. is the URI granted from 
Hive also used on other components like Kafka and Solr? If so, then might Kafka 
and Solr need the URI normalized? [~hahao] [~akolb]

> Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT
> ---------------------------------------------------------------------
>
>                 Key: SENTRY-1694
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1694
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hive Plugin
>    Affects Versions: 1.7.0
>            Reporter: Sergio Peña
>            Assignee: Sergio Peña
>            Priority: Minor
>
> Sentry doesn't check URI effectiveness when executing GRANT commands on Hive, 
> even though it requires full URI path in HDFS.
> GRANT is allowing users to provide any invalid URI paths, like below:
> {noformat}
> GRANT ALL ON URI "hdfs://hdfs://localhost:8020:8020///tmp/myjar.jar" TO ROLE 
> role1"
> {noformat}
> If the user attempts to create a function from the correct URI, then Sentry 
> won't find the URI and it will fail with a permission denied.
> {noformat}
> Error: Error while compiling statement: FAILED: SemanticException No valid 
> privileges
> User sergio does not have privileges for CREATEFUNCTION
> The required privileges: 
> Server=server1->URI=hdfs://localhost:8020/tmp/myjar.jar->action=*; 
> (state=42000,code=40000)
> {noformat}
> I noticed that the Hive/Sentry plugin checks if the URI is normalized during 
> the CREATE FUNCTION command. If not, it will skip it and continue with other 
> available URI.
> I think we should apply the same normalization check during the GRANT to at 
> least alert the user that URI might be wrong.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)