[jira] [Created] (HIVE-25680) Authorize #get_table_meta HiveMetastore Server API to use any of the HiveMetastore Authorization model

Mon, 08 Nov 2021 01:30:04 -0800 

Syed Shameerur Rahman created HIVE-25680:
--------------------------------------------

             Summary: Authorize #get_table_meta HiveMetastore Server API to use 
any of the HiveMetastore Authorization model
                 Key: HIVE-25680
                 URL: https://issues.apache.org/jira/browse/HIVE-25680
             Project: Hive
          Issue Type: Bug
    Affects Versions: All Versions
            Reporter: Syed Shameerur Rahman
            Assignee: Syed Shameerur Rahman
             Fix For: 4.0.0
         Attachments: Screenshot 2021-11-08 at 2.39.30 PM.png

When Apache Hue or any other application which uses #get_table_meta API is not 
gated to use any of the authorization model which HiveMetastore provides.

For more information on Storage based Authorization Model : 
https://cwiki.apache.org/confluence/display/Hive/HCatalog+Authorization

You can easily reproduce this with Apache Hive + Apache Hue

{code:java}
  <property>
    <name>hive.security.metastore.authorization.manager</name>
    
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
  </property>

    <property>
    <name>hive.security.metastore.authenticator.manager</name>
    
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
  </property>

    <property>
    <name>hive.metastore.pre.event.listeners</name>
    
<value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
  </property>
{code}


{code:java}
#!/bin/bash

set -x

hdfs dfs -mkdir /datasets

hdfs dfs -mkdir /datasets/database1

hdfs dfs -mkdir /datasets/database1/table1

echo "stefano,1992" | hdfs dfs -put - /datasets/database1/table1/file1.csv

hdfs dfs -chmod -R 700 /datasets/database1

sudo tee -a setup.hql > /dev/null <<EOT
CREATE DATABASE IF NOT EXISTS database1 LOCATION "/datasets/database1";

CREATE EXTERNAL TABLE IF NOT EXISTS database1.table1 (
  name string, 
  year int)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY ','
LOCATION
  '/datasets/database1/table1';
EOT

hive -f setup.hql
{code}

1. Login to Hue => create the first user called "admin" and provide a password 
Access the Hive Editor
2. On the SQL section on the left under Databases you should see default and 
database1 listed. Click on database1
3. As you can see a table called table1 is listed => this should not be 
possible as our admin user has no HDFS grants on /datasets/database1
4. run from the Hive editor the following query SHOW TABLES; The output shows a 
Permission denied error => this is the expected behavior



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to