hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "niklaus xiao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-10022) Authorization checks for non existent file/directory should not be recursive
Date Fri, 15 Jul 2016 06:51:20 GMT

    [ https://issues.apache.org/jira/browse/HIVE-10022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15378922#comment-15378922
] 

niklaus xiao commented on HIVE-10022:
-------------------------------------

Regex works with LOAD DATA.
{code}
0: jdbc:hive2://189.39.151.74:21066/> dfs -ls /tmp/data;
+---------------------------------------------------------------------------+--+
|                                DFS Output                                 |
+---------------------------------------------------------------------------+--+
| Found 3 items                                                             |
| -rw-------   3 admin hadoop          0 2016-07-15 14:48 /tmp/data/1.txt   |
| -rw-------   3 admin hadoop          0 2016-07-15 14:48 /tmp/data/2.txt   |
| -rw-------   3 admin hadoop          0 2016-07-15 14:47 /tmp/data/3.info  |
+---------------------------------------------------------------------------+--+
4 rows selected (0.029 seconds)
0: jdbc:hive2://189.39.151.74:21066/> load data inpath '/tmp/data/*.txt' into table foo;
INFO  : Loading data to table db2.foo from hdfs://hacluster/tmp/data/*.txt
No rows affected (0.558 seconds)
0: jdbc:hive2://189.39.151.74:21066/> dfs -ls /user/hive/warehouse/db2.db/foo;
+----------------------------------------------------------------------------------------------+--+
|                                          DFS Output                                    
     |
+----------------------------------------------------------------------------------------------+--+
| Found 2 items                                                                          
     |
| -rwxrwx---+  3 admin hive          0 2016-07-15 14:48 /user/hive/warehouse/db2.db/foo/1.txt
 |
| -rwxrwx---+  3 admin hive          0 2016-07-15 14:48 /user/hive/warehouse/db2.db/foo/2.txt
 |
+----------------------------------------------------------------------------------------------+--+
3 rows selected (0.091 seconds)
0: jdbc:hive2://189.39.151.74:21066/> dfs -ls /tmp/data;
+---------------------------------------------------------------------------+--+
|                                DFS Output                                 |
+---------------------------------------------------------------------------+--+
| Found 1 items                                                             |
| -rw-------   3 admin hadoop          0 2016-07-15 14:47 /tmp/data/3.info  |
+---------------------------------------------------------------------------+--+
2 rows selected (0.047 seconds)
0: jdbc:hive2://189.39.151.74:21066/>
{code}

Expand the regex and check on the regex match might be a good solution.

> Authorization checks for non existent file/directory should not be recursive
> ----------------------------------------------------------------------------
>
>                 Key: HIVE-10022
>                 URL: https://issues.apache.org/jira/browse/HIVE-10022
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.14.0
>            Reporter: Pankit Thapar
>            Assignee: Pankit Thapar
>         Attachments: HIVE-10022.2.patch, HIVE-10022.3.patch, HIVE-10022.patch
>
>
> I am testing a query like : 
> set hive.test.authz.sstd.hs2.mode=true;
> set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
> set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
> set hive.security.authorization.enabled=true;
> set user.name=user1;
> create table auth_noupd(i int) clustered by (i) into 2 buckets stored as orc location
'${OUTPUT}' TBLPROPERTIES ('transactional'='true');
> Now, in the above query,  since authorization is true, 
> we would end up calling doAuthorizationV2() which ultimately ends up calling SQLAuthorizationUtils.getPrivilegesFromFS()
which calls a recursive method : FileUtils.isActionPermittedForFileHierarchy() with the object
or the ancestor of the object we are trying to authorize if the object does not exist. 
> The logic in FileUtils.isActionPermittedForFileHierarchy() is DFS.
> Now assume, we have a path as a/b/c/d that we are trying to authorize.
> In case, a/b/c/d does not exist, we would call FileUtils.isActionPermittedForFileHierarchy()
with say a/b/ assuming a/b/c also does not exist.
> If under the subtree at a/b, we have millions of files, then FileUtils.isActionPermittedForFileHierarchy()
 is going to check file permission on each of those objects. 
> I do not completely understand why do we have to check for file permissions in all the
objects in  branch of the tree that we are not  trying to read from /write to.  
> We could have checked file permission on the ancestor that exists and if it matches what
we expect, the return true.
> Please confirm if this is a bug so that I can submit a patch else let me know what I
am missing ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message