[
https://issues.apache.org/jira/browse/SENTRY-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16951468#comment-16951468
]
Wenchao Li commented on SENTRY-2533:
------------------------------------
[~kalyan] Hello!
I tested the change locally right now as `mvn test
-Dtest=org.apache.sentry.tests.e2e.hive.TestPrivilegesAtFunctionScope`, and the
test success as it did in the Jenkins console
output([https://builds.apache.org/job/PreCommit-SENTRY-Build/4432/console]).
{code:java}
19:01:44 [INFO] Running
org.apache.sentry.tests.e2e.hive.TestPrivilegesAtFunctionScope
19:02:58 [INFO] Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
73.46 s - in org.apache.sentry.tests.e2e.hive.TestPrivilegesAtFunctionScope
{code}
Maybe you can try it again, thanks!!!
> The UDF in_file should be blacked default
> -----------------------------------------
>
> Key: SENTRY-2533
> URL: https://issues.apache.org/jira/browse/SENTRY-2533
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Wenchao Li
> Assignee: Wenchao Li
> Priority: Major
> Labels: security
> Attachments: SENTRY-2533.001.patch, SENTRY-2533.001.patch,
> SENTRY-2533.001.patch, SENTRY-2533.001.patch
>
>
> HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
> disallowed some builtin UDFs such as java_method, reflect, reflect2 and
> in_file. But Sentry does not black in_file up to now, so a malicious user can
> use in_file in SQL queries to detect some specific files on the HS2 host, or
> to detect whether a specific file has specific content. in_file should be
> added to HIVE_UDF_BLACK_LIST.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
