Return-Path: X-Original-To: apmail-hive-user-archive@www.apache.org Delivered-To: apmail-hive-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 507539E71 for ; Tue, 25 Oct 2011 05:38:30 +0000 (UTC) Received: (qmail 83953 invoked by uid 500); 25 Oct 2011 05:38:29 -0000 Delivered-To: apmail-hive-user-archive@hive.apache.org Received: (qmail 83919 invoked by uid 500); 25 Oct 2011 05:38:28 -0000 Mailing-List: contact user-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hive.apache.org Delivered-To: mailing list user@hive.apache.org Received: (qmail 83906 invoked by uid 99); 25 Oct 2011 05:38:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Oct 2011 05:38:27 +0000 X-ASF-Spam-Status: No, hits=4.1 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,MANY_SPAN_IN_TEXT,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ankitjaincs06@gmail.com designates 74.125.82.176 as permitted sender) Received: from [74.125.82.176] (HELO mail-wy0-f176.google.com) (74.125.82.176) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Oct 2011 05:38:20 +0000 Received: by wyf19 with SMTP id 19so146885wyf.35 for ; Mon, 24 Oct 2011 22:37:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=00Lr1a8Ce3f9y73AwsEOVX0E9TbC1EyrJCUZWad5+XE=; b=NXtiqVA92iXmElmGpqXPDy2kLsbYW7mEtyITEb5GaY3B3BrsLNpwHBNy6qidtriZGE FkQfjcTW7wfp6CoW182deZtrYJL3TB9qgHOO8Up1YmA1bEQ+dD4qipTQe4c11K5Xtijc PAf2oUe891wAIdsnCGXq747MzkphB7ERKpRyI= MIME-Version: 1.0 Received: by 10.227.208.77 with SMTP id gb13mr1484711wbb.4.1319521078944; Mon, 24 Oct 2011 22:37:58 -0700 (PDT) Received: by 10.180.80.66 with HTTP; Mon, 24 Oct 2011 22:37:58 -0700 (PDT) In-Reply-To: References: Date: Tue, 25 Oct 2011 11:07:58 +0530 Message-ID: Subject: Re: Hive Authorization Bug? From: Ankit Jain To: user@hive.apache.org Content-Type: multipart/alternative; boundary=0015174c3ba62f255504b018f17b --0015174c3ba62f255504b018f17b Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi, I think you are right?? I have one question. How we can create and switch user in hive??. Your grantor name is hadoop an= d user name is skrishnan. How u login with user skrishnan. Thanks, Ankit Jain On Tue, Oct 25, 2011 at 10:54 AM, Sriram Krishnan wr= ote: > The user "skrishnan" has role "users", and role users can only "Select" > from the default database: > > hive> show grant role users on database default; > OK > > database default > principalName users > principalType ROLE > privilege Select > grantTime 1319482008 > grantor hadoop > =85 > hive> show role grant user skrishnan; > OK > role name:users > =85 > > As seen above, user "skrishnan" should not be able to create tables in th= e > default database (only Select). And as I describe below, this holds true = if > skrishnan "uses" the default database, and then tries to create a table. > However, if skrishnan uses a database where he has ALL privileges (see > below), then he can create a table in the default database using "create > table default.skrishnan_test". This obviously is not desirable because th= e > goal is to basically restrict a user from creating tables in the default > database, no matter what database he may be currently using. > > hive> show grant user skrishnan on database skrishnan; > OK > > database skrishnan > principalName skrishnan > principalType USER > privilege All > grantTime 1319482070 > grantor hadoop > =85 > > Thanks, > Sriram > > From: Ankit Jain > Reply-To: "user@hive.apache.org" > Date: Mon, 24 Oct 2011 22:01:00 -0700 > To: "user@hive.apache.org" > Subject: Re: Hive Authorization Bug? > > Hi, > > Please try to run the following command and view the grant option.* > > hive> show grant user abc on database default;* > > output : > > database default > principalName abc > principalType USER > *privilege All * > grantTime 1319518326 > grantor xyz > > > is *skrishnan* is ubuntu user or u have created hive user?? > > Thanks, > Ankit > > On Tue, Oct 25, 2011 at 5:09 AM, Sriram Krishnan w= rote: > >> Hi, >> >> I am finding some inconsistent behavior related to Hive authorization, a= nd >> I am wondering if it is a bug or something related to my setup. >> >> I have our "default" database set up to only allow SELECT for user >> "skrishnan". But user skrishnan has "ALL" privileges on database >> "skrishnan". >> >> The following works correctly (I.e user shouldn't be able to create a >> table in the default database): >> >> hive> use default; >> OK >> Time taken: 0.043 seconds >> hive> create table skrishnan_test(i int); >> Authorization failed:No privilege 'Create' found for outputs { >> database:default}. Use show grant to get more details. >> >> However, user skrishnan can indeed create tables in the default database >> by doing this: >> >> hive> use skrishnan; >> OK >> Time taken: 0.038 seconds >> hive> create table default.skrishnan_test(i int); >> OK >> Time taken: 0.34 seconds >> >> That means that the database level authorization is basically circumvent= ed >> by first using a database that a user has all privileges to. Is there a >> setting that one can use to disable this? Or this is a Hive bug? >> >> Thanks, >> Sriram >> > > --0015174c3ba62f255504b018f17b Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi,

I think you are right??

I have one question.

How w= e can create and switch user in hive??. Your grantor name is hadoop and use= r name is skrishnan. How u logi= n with user skrishnan.

Thanks,
Ankit Jain




On Tue, Oct 25, 2011 at 10:54 AM, Sriram Krishnan <= ;skrishnan@netflix.com> wrote:
The user "skrishnan" has role &qu= ot;users", and role users can only "Select" from the default= database:

hive> show grant role users on database default= ;=A0
OK

database default
principalName users
principalType ROLE=
privilege Select
grantTime 1319482008
grantor hadoop
=85
hive> show ro= le grant user skrishnan; =A0 =A0 =A0 =A0 =A0 =A0
OK
rol= e name:users
=85

As seen above, user "skrishnan= " should not be able to create tables in the default database (only Se= lect). And as I describe below, this holds true if skrishnan "uses&quo= t; the default database, and then tries to create a table. However, if skri= shnan uses a database where he has ALL privileges (see below), then he can = create a table in the default database using "create table default.skr= ishnan_test". This obviously is not desirable because the goal is to b= asically restrict a user from creating tables in the default database, no m= atter what database he may be currently using.

hive> show grant user skrishnan on database skr= ishnan;
OK

database skrishnan
principalName skrishnan
principalType USER
privilege All
grantTime 1319482070
grantor hadoop
=
=85

Thanks,
Sriram

From: Ankit Jain <ankitjaincs06@gmail.com= >
Reply-To: "user@hive.apache.org&qu= ot; <user@hive= .apache.org>
Date: Mon, 24 Oct 2011 22:01:00 -0= 700
To: "user@hive.apache.org" <= ;user@hive.apache= .org>
Subject: Re: Hive Authorization Bu= g?

Hi,

Please try to run the following command and view the grant option.

hive> show grant user abc on database default;

output :

database=A0=A0 =A0default=A0=A0 =A0
principalName=A0=A0 =A0abc =A0=A0
principalType=A0=A0 =A0USER=A0=A0 =A0
privilege=A0=A0 =A0All=A0= =A0 =A0
grantTime=A0=A0 =A01319518326=A0=A0 =A0
grantor=A0=A0 xyz =A0=A0
=A0

is skrishnan is ubuntu user or u have created hive user??
Thanks,
Ankit

On Tue, Oct 25, 2011 at 5:09 AM, Sr= iram Krishnan <skrishnan@netflix.com> wrote:
Hi,

I am finding s= ome inconsistent behavior related to Hive authorization, and I am wondering= if it is a bug or something related to my setup.

I have our "default" database set up to only = allow SELECT for user "skrishnan". But user skrishnan has "A= LL" privileges on database "skrishnan".

The following works correctly (I.e user shouldn't be able to creat= e a table in the default database):

hive> = use default;
OK
Time taken: 0.043 seconds
hive> create table skrishnan_test(i int);
Authorization failed= :No privilege 'Create' found for outputs { database:default}. Use s= how grant to get more details.

However, user= skrishnan can indeed create tables in the default database by doing this:<= /div>

hive> use skrishnan;=A0
OK
= Time taken: 0.038 seconds
hive> create table default.skrishnan= _test(i int);
OK
Time taken: 0.34 seconds

That means that the database level authorization is bas= ically circumvented by first using a database that a user has all privilege= s to. Is there a setting that one can use to disable this? Or this is a Hiv= e bug?

Thanks,
Sriram
=

--0015174c3ba62f255504b018f17b--