[jira] [Commented] (SENTRY-781) User can run function under a database that he/she has no access
[
https://issues.apache.org/jira/browse/SENTRY-781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482093#comment-16482093
]
Eric Lin commented on SENTRY-781:
-
I am working on it to see if I can find a solution to this issue.
> User can run function under a database that he/she has no access
>
>
> Key: SENTRY-781
> URL: https://issues.apache.org/jira/browse/SENTRY-781
> Project: Sentry
> Issue Type: Bug
> Components: Hive Plugin
>Affects Versions: 1.4.0
>Reporter: Eric Lin
>Priority: Minor
>
> When user has no access to a particular database, he/she is still able to
> create permanent function in it.
> For example, a role has no access to database "udf_test", as show by the
> "show databases" command:
> {code}
> ++--+
> | database_name |
> ++--+
> | default|
> ++--+
> {code}
> However, this role can do the following two things:
> {code}
> 0: jdbc:hive2://10.17.74.148:1/default> create function
> udf_test.upper_test as 'com.elin.ToUpper';
> No rows affected (0.216 seconds)
> {code}
> The jar file has been loaded into aux directory for Hive.
> {code}
> 0: jdbc:hive2://10.17.74.148:1/default> select udf_test.upper_test(code)
> from sample_07 limit 10;
> INFO : Number of reduce tasks is set to 0 since there's no reduce operator
> WARN : Hadoop command-line option parsing not performed. Implement the Tool
> interface and execute your application with ToolRunner to remedy this.
> INFO : number of splits:1
> INFO : Submitting tokens for job: job_1434092815442_0004
> INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident:
> (HDFS_DELEGATION_TOKEN token 24 for hive)
> INFO : The url to track the job:
> http://host:8088/proxy/application_1434092815442_0004/
> INFO : Starting Job = job_1434092815442_0004, Tracking URL =
> http://host:8088/proxy/application_1434092815442_0004/
> INFO : Kill Command =
> /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job
> -kill job_1434092815442_0004
> INFO : Hadoop job information for Stage-1: number of mappers: 1; number of
> reducers: 0
> INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0%
> INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative
> CPU 3.16 sec
> INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec
> INFO : Ended Job = job_1434092815442_0004
> {code}
> This violates the sentry permission mechanism.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SENTRY-781) User can run function under a database that he/she has no access
[
https://issues.apache.org/jira/browse/SENTRY-781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482090#comment-16482090
]
Eric Lin commented on SENTRY-781:
-
Looks like CREATE function has been fixed, DROP function is being fixed in
SENTRY-2240.
The remaining issue is running the function.
> User can run function under a database that he/she has no access
>
>
> Key: SENTRY-781
> URL: https://issues.apache.org/jira/browse/SENTRY-781
> Project: Sentry
> Issue Type: Bug
> Components: Hive Plugin
>Affects Versions: 1.4.0
>Reporter: Eric Lin
>Priority: Minor
>
> When user has no access to a particular database, he/she is still able to
> create permanent function in it.
> For example, a role has no access to database "udf_test", as show by the
> "show databases" command:
> {code}
> ++--+
> | database_name |
> ++--+
> | default|
> ++--+
> {code}
> However, this role can do the following two things:
> {code}
> 0: jdbc:hive2://10.17.74.148:1/default> create function
> udf_test.upper_test as 'com.elin.ToUpper';
> No rows affected (0.216 seconds)
> {code}
> The jar file has been loaded into aux directory for Hive.
> {code}
> 0: jdbc:hive2://10.17.74.148:1/default> select udf_test.upper_test(code)
> from sample_07 limit 10;
> INFO : Number of reduce tasks is set to 0 since there's no reduce operator
> WARN : Hadoop command-line option parsing not performed. Implement the Tool
> interface and execute your application with ToolRunner to remedy this.
> INFO : number of splits:1
> INFO : Submitting tokens for job: job_1434092815442_0004
> INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident:
> (HDFS_DELEGATION_TOKEN token 24 for hive)
> INFO : The url to track the job:
> http://host:8088/proxy/application_1434092815442_0004/
> INFO : Starting Job = job_1434092815442_0004, Tracking URL =
> http://host:8088/proxy/application_1434092815442_0004/
> INFO : Kill Command =
> /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job
> -kill job_1434092815442_0004
> INFO : Hadoop job information for Stage-1: number of mappers: 1; number of
> reducers: 0
> INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0%
> INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative
> CPU 3.16 sec
> INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec
> INFO : Ended Job = job_1434092815442_0004
> {code}
> This violates the sentry permission mechanism.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SENTRY-2240) User can DROP function under a database that he/she has no access
[ https://issues.apache.org/jira/browse/SENTRY-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482077#comment-16482077 ] Eric Lin commented on SENTRY-2240: -- Review request: https://reviews.apache.org/r/67231/ > User can DROP function under a database that he/she has no access > - > > Key: SENTRY-2240 > URL: https://issues.apache.org/jira/browse/SENTRY-2240 > Project: Sentry > Issue Type: Bug > Components: Hive Binding >Affects Versions: 1.8.0 >Reporter: Eric Lin >Priority: Major > Attachments: SENTRY-2240-1.patch > > > User can DROP UDF function under a database that he/she has no access to. > I created it as separate JIRA from SENTRY-781 due to changes are quite > different. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2240) User can DROP function under a database that he/she has no access
[ https://issues.apache.org/jira/browse/SENTRY-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Lin updated SENTRY-2240: - Attachment: SENTRY-2240-1.patch > User can DROP function under a database that he/she has no access > - > > Key: SENTRY-2240 > URL: https://issues.apache.org/jira/browse/SENTRY-2240 > Project: Sentry > Issue Type: Bug > Components: Hive Binding >Affects Versions: 1.8.0 >Reporter: Eric Lin >Priority: Major > Attachments: SENTRY-2240-1.patch > > > User can DROP UDF function under a database that he/she has no access to. > I created it as separate JIRA from SENTRY-781 due to changes are quite > different. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
