You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Prasad Mujumdar (JIRA)" <ji...@apache.org> on 2014/11/17 03:45:34 UTC

[jira] [Created] (HIVE-8893) Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode

Prasad Mujumdar created HIVE-8893:
-------------------------------------

             Summary: Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode
                 Key: HIVE-8893
                 URL: https://issues.apache.org/jira/browse/HIVE-8893
             Project: Hive
          Issue Type: Bug
          Components: Authorization, HiveServer2, SQL
    Affects Versions: 0.14.0
            Reporter: Prasad Mujumdar
            Assignee: Prasad Mujumdar
             Fix For: 0.15.0


The udfs like reflect() or java_method() enables executing a java method as udf. While this offers lot of flexibility in the standalone mode, it can become a security loophole in a secure multiuser environment. For example, in  HiveServer2 one can execute any available java code with user hive's credentials.
We need a whitelist and blacklist to restrict builtin udfs in Hiveserver2.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)