[
https://issues.apache.org/jira/browse/HIVE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carl Steinbach updated HIVE-2538:
---------------------------------
Component/s: Authorization
> Database level authorization can be circumvented by first "using" a database
> that one has ALL privileges to
> -----------------------------------------------------------------------------------------------------------
>
> Key: HIVE-2538
> URL: https://issues.apache.org/jira/browse/HIVE-2538
> Project: Hive
> Issue Type: Bug
> Components: Authorization, Security
> Affects Versions: 0.7.1
> Reporter: Sriram Krishnan
>
> You can replicate this bug by recreating my setup, which I describe below:
> I have our "default" database set up to only allow SELECT for user
> "skrishnan". But user skrishnan has "ALL" privileges on database "skrishnan".
> The following works correctly (i.e user shouldn't be able to create a table
> in the default database):
> hive> use default;
> OK
> Time taken: 0.043 seconds
> hive> create table skrishnan_test(i int);
> Authorization failed:No privilege 'Create' found for outputs {
> database:default}. Use show grant to get more details. (*Correct Behavior*)
> However, user skrishnan can indeed create tables in the default database by
> doing this:
> hive> use skrishnan;
> OK
> Time taken: 0.038 seconds
> hive> create table *default.skrishnan_test(i int);*
> OK
> Time taken: 0.34 seconds (*Incorrect behavior*)
> That means that the database level authorization is basically circumvented by
> first using a database that a user has all privileges to. And then using the
> fully qualified table name (db\_name.table\_name) for a database that a user
> doesn't have permissions to.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
