[jira] [Commented] (SENTRY-781) User can run function under a database that he/she has no access
[ https://issues.apache.org/jira/browse/SENTRY-781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482093#comment-16482093 ] Eric Lin commented on SENTRY-781: - I am working on it to see if I can find a solution to this issue. > User can run function under a database that he/she has no access > > > Key: SENTRY-781 > URL: https://issues.apache.org/jira/browse/SENTRY-781 > Project: Sentry > Issue Type: Bug > Components: Hive Plugin >Affects Versions: 1.4.0 >Reporter: Eric Lin >Priority: Minor > > When user has no access to a particular database, he/she is still able to > create permanent function in it. > For example, a role has no access to database "udf_test", as show by the > "show databases" command: > {code} > ++--+ > | database_name | > ++--+ > | default| > ++--+ > {code} > However, this role can do the following two things: > {code} > 0: jdbc:hive2://10.17.74.148:1/default> create function > udf_test.upper_test as 'com.elin.ToUpper'; > No rows affected (0.216 seconds) > {code} > The jar file has been loaded into aux directory for Hive. > {code} > 0: jdbc:hive2://10.17.74.148:1/default> select udf_test.upper_test(code) > from sample_07 limit 10; > INFO : Number of reduce tasks is set to 0 since there's no reduce operator > WARN : Hadoop command-line option parsing not performed. Implement the Tool > interface and execute your application with ToolRunner to remedy this. > INFO : number of splits:1 > INFO : Submitting tokens for job: job_1434092815442_0004 > INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident: > (HDFS_DELEGATION_TOKEN token 24 for hive) > INFO : The url to track the job: > http://host:8088/proxy/application_1434092815442_0004/ > INFO : Starting Job = job_1434092815442_0004, Tracking URL = > http://host:8088/proxy/application_1434092815442_0004/ > INFO : Kill Command = > /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job > -kill job_1434092815442_0004 > INFO : Hadoop job information for Stage-1: number of mappers: 1; number of > reducers: 0 > INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0% > INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative > CPU 3.16 sec > INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec > INFO : Ended Job = job_1434092815442_0004 > {code} > This violates the sentry permission mechanism. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-781) User can run function under a database that he/she has no access
[ https://issues.apache.org/jira/browse/SENTRY-781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482090#comment-16482090 ] Eric Lin commented on SENTRY-781: - Looks like CREATE function has been fixed, DROP function is being fixed in SENTRY-2240. The remaining issue is running the function. > User can run function under a database that he/she has no access > > > Key: SENTRY-781 > URL: https://issues.apache.org/jira/browse/SENTRY-781 > Project: Sentry > Issue Type: Bug > Components: Hive Plugin >Affects Versions: 1.4.0 >Reporter: Eric Lin >Priority: Minor > > When user has no access to a particular database, he/she is still able to > create permanent function in it. > For example, a role has no access to database "udf_test", as show by the > "show databases" command: > {code} > ++--+ > | database_name | > ++--+ > | default| > ++--+ > {code} > However, this role can do the following two things: > {code} > 0: jdbc:hive2://10.17.74.148:1/default> create function > udf_test.upper_test as 'com.elin.ToUpper'; > No rows affected (0.216 seconds) > {code} > The jar file has been loaded into aux directory for Hive. > {code} > 0: jdbc:hive2://10.17.74.148:1/default> select udf_test.upper_test(code) > from sample_07 limit 10; > INFO : Number of reduce tasks is set to 0 since there's no reduce operator > WARN : Hadoop command-line option parsing not performed. Implement the Tool > interface and execute your application with ToolRunner to remedy this. > INFO : number of splits:1 > INFO : Submitting tokens for job: job_1434092815442_0004 > INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident: > (HDFS_DELEGATION_TOKEN token 24 for hive) > INFO : The url to track the job: > http://host:8088/proxy/application_1434092815442_0004/ > INFO : Starting Job = job_1434092815442_0004, Tracking URL = > http://host:8088/proxy/application_1434092815442_0004/ > INFO : Kill Command = > /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job > -kill job_1434092815442_0004 > INFO : Hadoop job information for Stage-1: number of mappers: 1; number of > reducers: 0 > INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0% > INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative > CPU 3.16 sec > INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec > INFO : Ended Job = job_1434092815442_0004 > {code} > This violates the sentry permission mechanism. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2240) User can DROP function under a database that he/she has no access
[ https://issues.apache.org/jira/browse/SENTRY-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482077#comment-16482077 ] Eric Lin commented on SENTRY-2240: -- Review request: https://reviews.apache.org/r/67231/ > User can DROP function under a database that he/she has no access > - > > Key: SENTRY-2240 > URL: https://issues.apache.org/jira/browse/SENTRY-2240 > Project: Sentry > Issue Type: Bug > Components: Hive Binding >Affects Versions: 1.8.0 >Reporter: Eric Lin >Priority: Major > Attachments: SENTRY-2240-1.patch > > > User can DROP UDF function under a database that he/she has no access to. > I created it as separate JIRA from SENTRY-781 due to changes are quite > different. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2240) User can DROP function under a database that he/she has no access
[ https://issues.apache.org/jira/browse/SENTRY-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Lin updated SENTRY-2240: - Attachment: SENTRY-2240-1.patch > User can DROP function under a database that he/she has no access > - > > Key: SENTRY-2240 > URL: https://issues.apache.org/jira/browse/SENTRY-2240 > Project: Sentry > Issue Type: Bug > Components: Hive Binding >Affects Versions: 1.8.0 >Reporter: Eric Lin >Priority: Major > Attachments: SENTRY-2240-1.patch > > > User can DROP UDF function under a database that he/she has no access to. > I created it as separate JIRA from SENTRY-781 due to changes are quite > different. -- This message was sent by Atlassian JIRA (v7.6.3#76005)