Prasad Mujumdar created HIVE-8893:
-------------------------------------
Summary: Implement whitelist for builtin UDFs to avoid untrused
code execution in multiuser mode
Key: HIVE-8893
URL: https://issues.apache.org/jira/browse/HIVE-8893
Project: Hive
Issue Type: Bug
Components: Authorization, HiveServer2, SQL
Affects Versions: 0.14.0
Reporter: Prasad Mujumdar
Assignee: Prasad Mujumdar
Fix For: 0.15.0
The udfs like reflect() or java_method() enables executing a java method as
udf. While this offers lot of flexibility in the standalone mode, it can become
a security loophole in a secure multiuser environment. For example, in
HiveServer2 one can execute any available java code with user hive's
credentials.
We need a whitelist and blacklist to restrict builtin udfs in Hiveserver2.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
