You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hive.apache.org by Loudongfeng <lo...@huawei.com> on 2014/11/25 13:47:44 UTC

答复: Problem with Hive Authorization

Correction:
The HiveServer2 using SQL Standards authorization with enable.doAs setting to true.


发件人: Loudongfeng [mailto:loudongfeng@huawei.com]
发送时间: 2014年11月25日 20:14
收件人: user@hive.apache.org
抄送: Zhenghui; Zhaojun (Terry); Dengjinbo (FusionInsight . IT)
主题: Problem with Hive Authorization

Hello,list

The background:
Hive 0.13.1 with security enabled.
The HiveServer2 using SQL Standards authorization with doAs setting to false.
Remote Meta Store using storage based authorization.
Impala has access to Hive Meta Store.

The problem :
MetaStore API such as grant_role, revoke_role, grant_privileges, revoke_privileges and so on are not checked for authorization.
Malicious users can add themselves to admin role through MetaStore’s grant_role API ,and then add bad UDFs or revoke other users’ privileges.

So ,is there a solution for this? Or is there a plan to fix this in future’s Hive releases?
Hive 0.14.0 has added privilege checking for queries like get_tables in HIVE-8221(Thanks to Thejas M Nair),but the API i metioned above are not included.
HIVE-7209 trends to deny remote access from MetaStore,which would make Imapla not work properly.
Any suggestion is appreciated.


Best Regards.
         NemonLou