hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hive QA (JIRA)" <>
Subject [jira] [Commented] (HIVE-5479) SBAP restricts hcat -e 'show databases'
Date Fri, 11 Oct 2013 00:45:42 GMT


Hive QA commented on HIVE-5479:

{color:green}Overall{color}: +1 all checks pass

Here are the results of testing the latest attachment:

{color:green}SUCCESS:{color} +1 4392 tests passed

Test results:
Console output:

Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase

This message is automatically generated.

> SBAP restricts hcat -e 'show databases'
> ---------------------------------------
>                 Key: HIVE-5479
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, HCatalog
>    Affects Versions: 0.12.0
>            Reporter: Sushanth Sowmyan
>            Assignee: Sushanth Sowmyan
>         Attachments: HIVE-5479.patch
> During testing for 0.12, it was found that if someone tries to use the SBAP as a client-side
authorization provider, and runs hcat -e "show databases;", SBAP denies permission to the
> Looking at SBAP code, why it does so is self-evident from this section:
> {code}
>   @Override
>   public void authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)
>       throws HiveException, AuthorizationException {
>     // Currently not used in hive code-base, but intended to authorize actions
>     // that are directly user-level. As there's no storage based aspect to this,
>     // we can follow one of two routes:
>     // a) We can allow by default - that way, this call stays out of the way
>     // b) We can deny by default - that way, no privileges are authorized that
>     // is not understood and explicitly allowed.
>     // Both approaches have merit, but given that things like grants and revokes
>     // that are user-level do not make sense from the context of storage-permission
>     // based auth, denying seems to be more canonical here.
>     throw new AuthorizationException(StorageBasedAuthorizationProvider.class.getName()
>         " does not allow user-level authorization");
>   }
> {code}
> Thus, this deny-by-default behaviour affects the "show databases" call from hcat cli,
which uses user-level privileges to determine if a user can perform that.

This message was sent by Atlassian JIRA

View raw message