hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prasad Mujumdar (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-8893) Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode
Date Mon, 17 Nov 2014 05:17:34 GMT

     [ https://issues.apache.org/jira/browse/HIVE-8893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Prasad Mujumdar updated HIVE-8893:
----------------------------------
    Status: Patch Available  (was: Open)

> Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode
> ---------------------------------------------------------------------------------------
>
>                 Key: HIVE-8893
>                 URL: https://issues.apache.org/jira/browse/HIVE-8893
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, HiveServer2, SQL
>    Affects Versions: 0.14.0
>            Reporter: Prasad Mujumdar
>            Assignee: Prasad Mujumdar
>             Fix For: 0.15.0
>
>         Attachments: HIVE-8893.2.patch
>
>
> The udfs like reflect() or java_method() enables executing a java method as udf. While
this offers lot of flexibility in the standalone mode, it can become a security loophole in
a secure multiuser environment. For example, in  HiveServer2 one can execute any available
java code with user hive's credentials.
> We need a whitelist and blacklist to restrict builtin udfs in Hiveserver2.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message