ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zsombor Gegesy (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1947) RangerHivePlugin does not authorize location on INSERT OVERWRITE DIRECTORY query
Date Tue, 09 Jan 2018 15:00:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16318550#comment-16318550
] 

Zsombor Gegesy commented on RANGER-1947:
----------------------------------------

Writing to the hdfs should be checked by the hdfs plugin. If Hive is configured with user
impersonation, then it will inherit the user rights, otherwise it will try to act as user
'hive'. You should configure appropriate HDFS policy for your cluster to avoid the problem.

> RangerHivePlugin does not authorize location on INSERT OVERWRITE DIRECTORY query
> --------------------------------------------------------------------------------
>
>                 Key: RANGER-1947
>                 URL: https://issues.apache.org/jira/browse/RANGER-1947
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.7.1
>         Environment: hadoop 2.7.5 + hive 2.3.2 + ranger 0.7.1
>            Reporter: Jake Moon
>
> {code}
> insert overwrite directory '/user/user1/nonewrite3'
> ROW FORMAT DELIMITED 
> FIELDS TERMINATED BY ','
> SELECT u.id, u.age, u.city, c.city
> FROM user_table  u JOIN city_table c ON (u.city = c.code)
> WHERE u.age > 25
> AND u.age <= 28
> AND c.city = 'New York'
> {code}
> This query's hive operation type is HiveOperationType.QUERY, and also have a write location
to 'hdfs://my.cluster/user/user1/nonewrite3'
> RangerHiveAuthorizer must authorize the location, but getURIAccessType(HiveOperationType.QUERY)
always return FsAction.NONE, so it's not work.
> If hive-server2 have enough permission on hdfs with no impersonation, every user can
format hdfs like this.
> {code}
> insert overwrite directory '/'
> ROW FORMAT DELIMITED 
> FIELDS TERMINATED BY ','
> SELECT 1
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message