hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@apache.org
Subject svn commit: r1655902 - in /hive/branches/branch-1.1: ./ itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/ service/src/java/org/apache/hive/service/cli/ service/src/ja...
Date Fri, 30 Jan 2015 01:49:49 GMT
Author: brock
Date: Fri Jan 30 01:49:48 2015
New Revision: 1655902

URL: http://svn.apache.org/r1655902
Log:
HIVE-9473 : sql std auth should disallow built-in udfs that allow any java methods to be called
(Thejas Nair, reviewed by Jason Dere)

Added:
    hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java
      - copied unchanged from r1655895, hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java
Modified:
    hive/branches/branch-1.1/   (props changed)
    hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
    hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
    hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java
    hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java

Propchange: hive/branches/branch-1.1/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jan 30 01:49:48 2015
@@ -3,4 +3,4 @@
 /hive/branches/spark:1608589-1654414
 /hive/branches/tez:1494760-1622766
 /hive/branches/vectorization:1466908-1527856
-/hive/trunk:1655202,1655210,1655213,1655436,1655460,1655894
+/hive/trunk:1655202,1655210,1655213,1655436,1655460,1655894-1655895

Modified: hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
(original)
+++ hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
Fri Jan 30 01:49:48 2015
@@ -140,4 +140,39 @@ public class TestJdbcWithSQLAuthorizatio
     }
   }
 
+  @Test
+  public void testBlackListedUdfUsage() throws Exception {
+
+    // create tables as user1
+    Connection hs2Conn = getConnection("user1");
+
+    Statement stmt = hs2Conn.createStatement();
+    String tableName1 = "test_jdbc_sql_auth_udf";
+    stmt.execute("create table " + tableName1 + "(i int) ");
+
+    verifyUDFNotAllowed(stmt, tableName1, "reflect('java.lang.String', 'valueOf', 1)", "reflect");
+    verifyUDFNotAllowed(stmt, tableName1, "reflect2('java.lang.String', 'valueOf', 1)", "reflect2");
+    verifyUDFNotAllowed(stmt, tableName1, "java_method('java.lang.String', 'valueOf', 1)",
+        "java_method");
+
+    stmt.close();
+    hs2Conn.close();
+  }
+
+  private void verifyUDFNotAllowed(Statement stmt, String tableName, String udfcall, String
udfname) {
+    try {
+      stmt.execute("SELECT " + udfcall + " from " + tableName);
+      fail("Disallowed udf usage should have resulted in error");
+    } catch (SQLException e) {
+      checkAssertContains("UDF " + udfname + " is not allowed", e.getMessage());
+    }
+  }
+
+  private void checkAssertContains(String expectedSubString, String message) {
+    if (message.contains(expectedSubString)) {
+      return;
+    }
+    fail("Message [" + message + "] does not contain substring [" + expectedSubString + "]");
+  }
+
 }

Modified: hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
(original)
+++ hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
Fri Jan 30 01:49:48 2015
@@ -58,6 +58,13 @@ public class SettableConfigUpdater {
     }
 
     hiveConf.setModifiableWhiteListRegex(whiteListParamsStr);
+
+    // disallow udfs that can potentially allow untrusted code execution
+    // if admin has already customized this list, honor that
+    String curBlackList = hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST);
+    if (curBlackList == null || curBlackList.trim().isEmpty()) {
+      hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method");
+    }
   }
 
 }

Modified: hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java
(original)
+++ hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java
Fri Jan 30 01:49:48 2015
@@ -37,7 +37,7 @@ import org.apache.hadoop.hive.metastore.
 import org.apache.hadoop.hive.ql.exec.FunctionRegistry;
 import org.apache.hadoop.hive.ql.metadata.Hive;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
-import org.apache.hadoop.hive.shims.ShimLoader;
+import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.hadoop.hive.shims.Utils;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hive.service.CompositeService;
@@ -48,9 +48,6 @@ import org.apache.hive.service.cli.sessi
 import org.apache.hive.service.cli.thrift.TProtocolVersion;
 import org.apache.hive.service.server.HiveServer2;
 
-import com.google.common.base.Splitter;
-import com.google.common.collect.Lists;
-
 /**
  * CLIService.
  *
@@ -80,6 +77,11 @@ public class CLIService extends Composit
 
   @Override
   public synchronized void init(HiveConf hiveConf) {
+    try {
+      applyAuthorizationConfigPolicy(hiveConf);
+    } catch (HiveException e) {
+      throw new RuntimeException("Error applying authorization policy on hive configuration",
e);
+    }
     this.hiveConf = hiveConf;
     sessionManager = new SessionManager(hiveServer2);
     addService(sessionManager);
@@ -113,6 +115,15 @@ public class CLIService extends Composit
     super.init(hiveConf);
   }
 
+  private void applyAuthorizationConfigPolicy(HiveConf newHiveConf) throws HiveException
{
+    // authorization setup using SessionState should be revisited eventually, as
+    // authorization and authentication are not session specific settings
+    SessionState ss = new SessionState(newHiveConf);
+    ss.setIsHiveServerQuery(true);
+    SessionState.start(ss);
+    ss.applyAuthorizationPolicy();
+  }
+
   private void setupBlockedUdfs() {
     FunctionRegistry.setupPermissionsForBuiltinUDFs(
         hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_WHITELIST),

Modified: hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
(original)
+++ hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
Fri Jan 30 01:49:48 2015
@@ -36,8 +36,6 @@ import org.apache.commons.logging.LogFac
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hadoop.hive.ql.hooks.HookUtils;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
-import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.hive.service.CompositeService;
 import org.apache.hive.service.cli.HiveSQLException;
 import org.apache.hive.service.cli.SessionHandle;
@@ -76,11 +74,6 @@ public class SessionManager extends Comp
 
   @Override
   public synchronized void init(HiveConf hiveConf) {
-    try {
-      applyAuthorizationConfigPolicy(hiveConf);
-    } catch (HiveException e) {
-      throw new RuntimeException("Error applying authorization policy on hive configuration",
e);
-    }
     this.hiveConf = hiveConf;
     //Create operation log root directory, if operation logging is enabled
     if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_LOGGING_OPERATION_ENABLED)) {
@@ -116,15 +109,6 @@ public class SessionManager extends Comp
         hiveConf, ConfVars.HIVE_SERVER2_IDLE_SESSION_TIMEOUT, TimeUnit.MILLISECONDS);
   }
 
-  private void applyAuthorizationConfigPolicy(HiveConf newHiveConf) throws HiveException
{
-    // authorization setup using SessionState should be revisited eventually, as
-    // authorization and authentication are not session specific settings
-    SessionState ss = new SessionState(newHiveConf);
-    ss.setIsHiveServerQuery(true);
-    SessionState.start(ss);
-    ss.applyAuthorizationPolicy();
-  }
-
   private void initOperationLogRootDir() {
     operationLogRootDir = new File(
         hiveConf.getVar(ConfVars.HIVE_SERVER2_LOGGING_OPERATION_LOG_LOCATION));



Mime
View raw message