sentry-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergio Peña (JIRA) <>
Subject [jira] [Assigned] (SENTRY-1694) Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT
Date Tue, 07 Aug 2018 18:28:00 GMT


Sergio Peña reassigned SENTRY-1694:

    Assignee:     (was: Sergio Peña)

> Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT
> ---------------------------------------------------------------------
>                 Key: SENTRY-1694
>                 URL:
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hive Plugin
>    Affects Versions: 1.7.0
>            Reporter: Sergio Peña
>            Priority: Minor
> Sentry doesn't check URI effectiveness when executing GRANT commands on Hive, even though
it requires full URI path in HDFS.
> GRANT is allowing users to provide any invalid URI paths, like below:
> {noformat}
> GRANT ALL ON URI "hdfs://hdfs://localhost:8020:8020///tmp/myjar.jar" TO ROLE role1"
> {noformat}
> If the user attempts to create a function from the correct URI, then Sentry won't find
the URI and it will fail with a permission denied.
> {noformat}
> Error: Error while compiling statement: FAILED: SemanticException No valid privileges
> User sergio does not have privileges for CREATEFUNCTION
> The required privileges: Server=server1->URI=hdfs://localhost:8020/tmp/myjar.jar->action=*;
> {noformat}
> I noticed that the Hive/Sentry plugin checks if the URI is normalized during the CREATE
FUNCTION command. If not, it will skip it and continue with other available URI.
> I think we should apply the same normalization check during the GRANT to at least alert
the user that URI might be wrong.

This message was sent by Atlassian JIRA

View raw message