hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankit Jain <ankitjainc...@gmail.com>
Subject Re: Hive Authorization Bug?
Date Tue, 25 Oct 2011 05:37:58 GMT
Hi,

I think you are right??

I have one question.

How we can create and switch user in hive??. Your grantor name is hadoop and
user name is skrishnan. How u login with user skrishnan.

Thanks,
Ankit Jain




On Tue, Oct 25, 2011 at 10:54 AM, Sriram Krishnan <skrishnan@netflix.com>wrote:

> The user "skrishnan" has role "users", and role users can only "Select"
> from the default database:
>
> hive> show grant role users on database default;
> OK
>
> database default
> principalName users
> principalType ROLE
> privilege Select
> grantTime 1319482008
> grantor hadoop
> …
> hive> show role grant user skrishnan;
> OK
> role name:users
> …
>
> As seen above, user "skrishnan" should not be able to create tables in the
> default database (only Select). And as I describe below, this holds true if
> skrishnan "uses" the default database, and then tries to create a table.
> However, if skrishnan uses a database where he has ALL privileges (see
> below), then he can create a table in the default database using "create
> table default.skrishnan_test". This obviously is not desirable because the
> goal is to basically restrict a user from creating tables in the default
> database, no matter what database he may be currently using.
>
> hive> show grant user skrishnan on database skrishnan;
> OK
>
> database skrishnan
> principalName skrishnan
> principalType USER
> privilege All
> grantTime 1319482070
> grantor hadoop
> …
>
> Thanks,
> Sriram
>
> From: Ankit Jain <ankitjaincs06@gmail.com>
> Reply-To: "user@hive.apache.org" <user@hive.apache.org>
> Date: Mon, 24 Oct 2011 22:01:00 -0700
> To: "user@hive.apache.org" <user@hive.apache.org>
> Subject: Re: Hive Authorization Bug?
>
> Hi,
>
> Please try to run the following command and view the grant option.*
>
> hive> show grant user abc on database default;*
>
> output :
>
> database    default
> principalName    abc
> principalType    USER
> *privilege    All *
> grantTime    1319518326
> grantor   xyz
>
>
> is *skrishnan* is ubuntu user or u have created hive user??
>
> Thanks,
> Ankit
>
> On Tue, Oct 25, 2011 at 5:09 AM, Sriram Krishnan <skrishnan@netflix.com>wrote:
>
>> Hi,
>>
>> I am finding some inconsistent behavior related to Hive authorization, and
>> I am wondering if it is a bug or something related to my setup.
>>
>> I have our "default" database set up to only allow SELECT for user
>> "skrishnan". But user skrishnan has "ALL" privileges on database
>> "skrishnan".
>>
>> The following works correctly (I.e user shouldn't be able to create a
>> table in the default database):
>>
>> hive> use default;
>> OK
>> Time taken: 0.043 seconds
>> hive> create table skrishnan_test(i int);
>> Authorization failed:No privilege 'Create' found for outputs {
>> database:default}. Use show grant to get more details.
>>
>> However, user skrishnan can indeed create tables in the default database
>> by doing this:
>>
>> hive> use skrishnan;
>> OK
>> Time taken: 0.038 seconds
>> hive> create table default.skrishnan_test(i int);
>> OK
>> Time taken: 0.34 seconds
>>
>> That means that the database level authorization is basically circumvented
>> by first using a database that a user has all privileges to. Is there a
>> setting that one can use to disable this? Or this is a Hive bug?
>>
>> Thanks,
>> Sriram
>>
>
>

Mime
View raw message