hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Loudongfeng <loudongf...@huawei.com>
Subject Problem with Hive Authorization
Date Tue, 25 Nov 2014 12:13:56 GMT
Hello,list

The background:
Hive 0.13.1 with security enabled.
The HiveServer2 using SQL Standards authorization with doAs setting to false.
Remote Meta Store using storage based authorization.
Impala has access to Hive Meta Store.

The problem :
MetaStore API such as grant_role, revoke_role, grant_privileges, revoke_privileges and so
on are not checked for authorization.
Malicious users can add themselves to admin role through MetaStore's grant_role API ,and then
add bad UDFs or revoke other users' privileges.

So ,is there a solution for this? Or is there a plan to fix this in future's Hive releases?
Hive 0.14.0 has added privilege checking for queries like get_tables in HIVE-8221(Thanks to
Thejas M Nair),but the API i metioned above are not included.
HIVE-7209 trends to deny remote access from MetaStore,which would make Imapla not work properly.
Any suggestion is appreciated.


Best Regards.
         NemonLou

Mime
View raw message