[
https://issues.apache.org/jira/browse/HIVE-7295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14045014#comment-14045014
]
Chris Nauroth commented on HIVE-7295:
-------------------------------------
Hi, [~xiaobingo]. Overall, I recommend running tests as a non-admin user. If
you really prefer to put a workaround in the code, then I recommend limiting
the scope of the special case. This code won't be capable of telling the
difference between a user named "foo" and a group named "foo". It's common for
files to have greater permissions for the owner vs. the group, so if an
attacker named "bar" somehow manages to sneak "foo" into his group memberships,
then it could cause elevation of privileges. (This is probably unlikely, but I
wanted to point it out.)
A couple of suggestions:
# Only trigger the special case if running on Windows and the {{FileSystem}}
represents a local file system. This Administrators special case does not
apply to other file systems (HDFS or S3 for example).
# Only allow it for Administrators, not any group. This behavior of setting
ownership of new files to Administrators is a special case for members of the
Administrators group only.
BTW, there is also a Windows policy setting that can be changed so that it
won't automatically set ownership of new files to Administrators. This might
be another option if you prefer to keep running tests as an admin.
> FileStatus.getOwner on Windows returns name of group the user belongs to,
> instead of user name expected, fails many authorization related unit tests
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HIVE-7295
> URL: https://issues.apache.org/jira/browse/HIVE-7295
> Project: Hive
> Issue Type: Bug
> Components: Authorization, HCatalog, Security, Windows
> Affects Versions: 0.13.0
> Environment: Windows Server 2008 R2
> Reporter: Xiaobing Zhou
> Priority: Critical
>
> Unit test in TestHdfsAuthorizationProvider, e.g.
> org.apache.hcatalog.security.TestHdfsAuthorizationProvider.testTableOps.
> fails to run.
> Running org.apache.hcatalog.security.TestHdfsAuthorizationProvider
> Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 15.799 sec
> <<< FAILURE! - in org.apache.hcatalog.security.TestHdfsAuthorizationProvider
> testTableOps(org.apache.hcatalog.security.TestHdfsAuthorizationProvider)
> Time elapsed: 15.546 sec <<< FAILURE!
> junit.framework.AssertionFailedError: FAILED: AuthorizationException
> org.apache.hadoop.security.AccessControlException: action WRITE not permitted
> on path pfile:/Users/xz
> hou/hworks/workspace/hwx-hive-ws/hive/hcatalog/core/target/warehouse for user
> xzhou expected:<0> but was:<40000>
> at junit.framework.Assert.fail(Assert.java:50)
> at junit.framework.Assert.failNotEquals(Assert.java:287)
> at junit.framework.Assert.assertEquals(Assert.java:67)
> at junit.framework.Assert.assertEquals(Assert.java:199)
> at
> org.apache.hcatalog.security.TestHdfsAuthorizationProvider.exec(TestHdfsAuthorizationProvider.java:172)
> at
> org.apache.hcatalog.security.TestHdfsAuthorizationProvider.testTableOps(TestHdfsAuthorizationProvider.java:307)
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
