hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sriram Krishnan (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HIVE-2538) Database level authorization can be circumvented by first "using" a database that one has ALL privileges to
Date Tue, 01 Nov 2011 01:17:32 GMT
Database level authorization can be circumvented by first "using" a database that one has ALL
privileges to
-----------------------------------------------------------------------------------------------------------

                 Key: HIVE-2538
                 URL: https://issues.apache.org/jira/browse/HIVE-2538
             Project: Hive
          Issue Type: Bug
          Components: Security
    Affects Versions: 0.7.1
            Reporter: Sriram Krishnan


You can replicate this bug by recreating my setup, which I describe below:

I have our "default" database set up to only allow SELECT for user "skrishnan". But user skrishnan
has "ALL" privileges on database "skrishnan".

The following works correctly (i.e user shouldn't be able to create a table in the default
database):

hive> use default;
OK
Time taken: 0.043 seconds
hive> create table skrishnan_test(i int);
Authorization failed:No privilege 'Create' found for outputs { database:default}. Use show
grant to get more details. (*Correct Behavior*)

However, user skrishnan can indeed create tables in the default database by doing this:

hive> use skrishnan; 
OK
Time taken: 0.038 seconds
hive> create table *default.skrishnan_test(i int);*
OK
Time taken: 0.34 seconds (*Incorrect behavior*)

That means that the database level authorization is basically circumvented by first using
a database that a user has all privileges to. And then using the fully qualified table name
(db\_name.table\_name) for a database that a user doesn't have permissions to.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message