[jira] [Commented] (HIVE-5479) SBAP restricts hcat -e 'show databases'

Sun, 13 Oct 2013 13:04:42 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-5479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13793769#comment-13793769
 ] 

Hudson commented on HIVE-5479:
------------------------------

FAILURE: Integrated in Hive-trunk-h0.21 #2398 (See 
[https://builds.apache.org/job/Hive-trunk-h0.21/2398/])
HIVE-5479 : SBAP restricts hcat -e show databases (Sushanth Sowmyan via 
Ashutosh Chauhan) (hashutosh: 
http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1531708)
* 
/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java


> SBAP restricts hcat -e 'show databases'
> ---------------------------------------
>
>                 Key: HIVE-5479
>                 URL: https://issues.apache.org/jira/browse/HIVE-5479
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, HCatalog
>    Affects Versions: 0.12.0
>            Reporter: Sushanth Sowmyan
>            Assignee: Sushanth Sowmyan
>             Fix For: 0.13.0
>
>         Attachments: HIVE-5479.patch
>
>
> During testing for 0.12, it was found that if someone tries to use the SBAP 
> as a client-side authorization provider, and runs hcat -e "show databases;", 
> SBAP denies permission to the user.
> Looking at SBAP code, why it does so is self-evident from this section:
> {code}
>   @Override
>   public void authorize(Privilege[] readRequiredPriv, Privilege[] 
> writeRequiredPriv)
>       throws HiveException, AuthorizationException {
>     // Currently not used in hive code-base, but intended to authorize actions
>     // that are directly user-level. As there's no storage based aspect to 
> this,
>     // we can follow one of two routes:
>     // a) We can allow by default - that way, this call stays out of the way
>     // b) We can deny by default - that way, no privileges are authorized that
>     // is not understood and explicitly allowed.
>     // Both approaches have merit, but given that things like grants and 
> revokes
>     // that are user-level do not make sense from the context of 
> storage-permission
>     // based auth, denying seems to be more canonical here.
>     throw new 
> AuthorizationException(StorageBasedAuthorizationProvider.class.getName() +
>         " does not allow user-level authorization");
>   }
> {code}
> Thus, this deny-by-default behaviour affects the "show databases" call from 
> hcat cli, which uses user-level privileges to determine if a user can perform 
> that.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to