hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sushanth Sowmyan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-11988) [hive] security issue with hive & ranger for import table command
Date Thu, 29 Oct 2015 18:54:27 GMT

    [ https://issues.apache.org/jira/browse/HIVE-11988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14981036#comment-14981036
] 

Sushanth Sowmyan commented on HIVE-11988:
-----------------------------------------

Committed to branch-1 and branch-1.2 as well. Thanks, Thejas!

> [hive] security issue with hive & ranger for import table command
> -----------------------------------------------------------------
>
>                 Key: HIVE-11988
>                 URL: https://issues.apache.org/jira/browse/HIVE-11988
>             Project: Hive
>          Issue Type: Bug
>          Components: Hive
>    Affects Versions: 0.14.0, 1.2.1
>            Reporter: Deepak Sharma
>            Assignee: Sushanth Sowmyan
>            Priority: Critical
>             Fix For: 1.3.0, 2.0.0, 1.2.2
>
>         Attachments: HIVE-11988.2.patch, HIVE-11988.3.patch, HIVE-11988.4.patch, HIVE-11988.5.patch,
HIVE-11988.patch, authorization_uri_import_q_hive.log, authorization_uri_import_q_output.txt
>
>
> if a user does not have permission to create table in hive , then if the same user import
data for a table using following command then , it will have to create table also and that
is working successfully , ideally it should not work
> STR:
> ====
> 1. put some raw data in hdfs path /user/user1/tempdata
> 2. in ranger check policy , user1 should not have any permission on any table
> 3. login through user1 into beeline ( obviously it will fail since user doesnt have permission
to create table)
> create table tt1(id INT,ff String);
> FAILED: HiveAccessControlException Permission denied: user user1 does not have CREATE
privilege on default/tt1 (state=42000,code=40000)
> 4. now try following command to import data into a table ( table should not exist already)
> import table tt1 from '/user/user1/tempdata';
> ER:
> since user1 doesnt have permission to create table so this operation should fail
> AR:
> table is created successfully and data is also imported !!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message