You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Prasad Mujumdar (JIRA)" <ji...@apache.org> on 2014/11/17 03:45:34 UTC
[jira] [Created] (HIVE-8893) Implement whitelist for builtin UDFs
to avoid untrused code execution in multiuser mode
Prasad Mujumdar created HIVE-8893:
-------------------------------------
Summary: Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode
Key: HIVE-8893
URL: https://issues.apache.org/jira/browse/HIVE-8893
Project: Hive
Issue Type: Bug
Components: Authorization, HiveServer2, SQL
Affects Versions: 0.14.0
Reporter: Prasad Mujumdar
Assignee: Prasad Mujumdar
Fix For: 0.15.0
The udfs like reflect() or java_method() enables executing a java method as udf. While this offers lot of flexibility in the standalone mode, it can become a security loophole in a secure multiuser environment. For example, in HiveServer2 one can execute any available java code with user hive's credentials.
We need a whitelist and blacklist to restrict builtin udfs in Hiveserver2.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)