hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shunichi Otsuka <>
Subject RE: metastore security issue
Date Thu, 04 Jul 2013 09:43:20 GMT
One setting was missing:   true

This solves the problem

-----Original Message-----
From: Shunichi Otsuka [] 
Sent: Thursday, July 04, 2013 2:28 PM
Subject: metastore security issue

I am trying to setup hive securely doing authorization at the metastore. However there is
a problem.
I have relied on hive JIRA HIVE-3705 to decide the configuration which were set as below:

javax.jdo.option.ConnectionURL                    jdbc
javax.jdo.option.ConnectionDriverName             java.database.jdbc.mysql
javax.jdo.option.ConnectionUserName               hive
javax.jdo.option.ConnectionPassword               userpass
hive.metastore.execute.setugi                     true
hive.metastore.uris                               thrift://
hive.metastore.sasl.enabled                       true
hive.metastore.kerberos.keytab.file               /etc/grid-keytabs/hive.keytab
hive.metastore.kerberos.principal                 hive/     true               false

However this does authorize an unauthorized user to drop a table or database from the metastore
as below:

alice> create database db1 location '/user/alice/warehouse/db1.db';
[The permission of db1.db is drwx------ alice:users] However,
bob> drop database db1;

This should not happen, so why is it happening? Is my setting wrong or is it that the code
has not covered this case?
If it is that it has not been implemented yet, what measures have you taken to avoid malicious
users from dropping other users' database/tables?

Java version  is 1.6.0_33
hive version is 0.11


View raw message