hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prasad Mujumdar (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HIVE-8893) Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode
Date Mon, 17 Nov 2014 02:45:34 GMT
Prasad Mujumdar created HIVE-8893:
-------------------------------------

             Summary: Implement whitelist for builtin UDFs to avoid untrused code execution
in multiuser mode
                 Key: HIVE-8893
                 URL: https://issues.apache.org/jira/browse/HIVE-8893
             Project: Hive
          Issue Type: Bug
          Components: Authorization, HiveServer2, SQL
    Affects Versions: 0.14.0
            Reporter: Prasad Mujumdar
            Assignee: Prasad Mujumdar
             Fix For: 0.15.0


The udfs like reflect() or java_method() enables executing a java method as udf. While this
offers lot of flexibility in the standalone mode, it can become a security loophole in a secure
multiuser environment. For example, in  HiveServer2 one can execute any available java code
with user hive's credentials.
We need a whitelist and blacklist to restrict builtin udfs in Hiveserver2.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message