sentry-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Istvan Vajnorak (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SENTRY-1034) Fix beeline connecting to db
Date Fri, 19 Jan 2018 10:10:00 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122145#comment-15122145
] 

Istvan Vajnorak edited comment on SENTRY-1034 at 1/19/18 10:09 AM:
-------------------------------------------------------------------

Hello [~anneyu.apache] please find my answers below:

1. test_mval has only rights to connect to test_mvaldb (and to default by default)
 2. For any user, if you manage to find a db that exists in the warehouse, then it will let
it in
 3. asdasdasdasd is just a trash string

Sorry for not clarifying these upfront.


was (Author: bearricade):
Hello [~anneyu.apache] please find my answers below:

1. allianz_mval has only rights to connect to allianz_mvaldb (and to default by default)
2. For any user, if you manage to find a db that exists in the warehouse, then it will let
it in
3. asdasdasdasd is just a trash string

Sorry for not clarifying these upfront.

> Fix beeline connecting to db
> ----------------------------
>
>                 Key: SENTRY-1034
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1034
>             Project: Sentry
>          Issue Type: Bug
>          Components: Core
>            Reporter: Istvan Vajnorak
>            Priority: Major
>
> A possible info leak in the way how beeline connects to databases and uses the ACLs to
prevent seeing unauthorised databases and tables.
> It turns out that one can connect to a database that one should not see, but listing
it afterwards gives no tables. This is still somewhat a security breach as an attacker can
gain insight what databases exist.
> The way the problem got identified:
> root@prod-vm-cdh-mgr-01 ~]# kinit -kt ~test_mval.keytab test_mval 
> [root@prod-vm-cdh-mgr-01 ~]# beeline 
> Beeline version 1.1.0-cdh5.4.8 by Apache Hive 
> beeline> !connect jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC

> scan complete in 6ms 
> Connecting to jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC 
> Enter username for jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC: 
> Enter password for jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC: 
> Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
> Transaction isolation: TRANSACTION_REPEATABLE_READ 
> 0: jdbc:hive2://vm-cdh-01:10000/testdb> show databases; 
> -----------------+
> database_name
> -----------------+
> test_mvaldb
> default
> -----------------+ 
> 2 rows selected (0.726 seconds) 
> 0: jdbc:hive2://vm-cdh-01:10000/testdb> show tables; 
> -----------+
> tab_name
> -----------+ 
> -----------+ 
> No rows selected (1.033 seconds) 
> 0: jdbc:hive2://vm-cdh-01:10000/testdb> !quit 
> Closing: 0: jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC 
> [root@prod-vm-cdh-mgr-01 ~]# beeline 
> Beeline version 1.1.0-cdh5.4.8 by Apache Hive 
> beeline> !connect jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC

> scan complete in 2ms 
> Connecting to jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC 
> Enter username for jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:

> Enter password for jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:

> Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
> Transaction isolation: TRANSACTION_REPEATABLE_READ 
> 0: jdbc:hive2://vm-cdh-01:10000/asdas> show tables; 
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask. Database does not exist: asdasdasdasd (state=08S01,code=1)

> 0: jdbc:hive2://vm-cdh-01:10000/asdas> !connect jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC

> Connecting to jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC 
> Enter username for jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC: 
> Enter password for jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@MITKDC: 
> Connected to: Apache Hive (version 1.1.0-cdh5.4.8) 
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8) 
> Transaction isolation: TRANSACTION_REPEATABLE_READ 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> show tables; 
> -----------+
> tab_name
> -----------+ 
> -----------+ 
> No rows selected (1.09 seconds) 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> !quit; 
> Unknown command: quit; 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> !quit; 
> Unknown command: quit; 
> 1: jdbc:hive2://vm-cdh-01:10000/testdb> !quit



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message