You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Syed Shameerur Rahman (Jira)" <ji...@apache.org> on 2021/11/09 05:04:00 UTC
[jira] [Commented] (HIVE-25680) Authorize #get_table_meta
HiveMetastore Server API to use any of the HiveMetastore Authorization
model
[ https://issues.apache.org/jira/browse/HIVE-25680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17440904#comment-17440904 ]
Syed Shameerur Rahman commented on HIVE-25680:
----------------------------------------------
[~kgyrtkirk] Could you please review the changes?
> Authorize #get_table_meta HiveMetastore Server API to use any of the HiveMetastore Authorization model
> ------------------------------------------------------------------------------------------------------
>
> Key: HIVE-25680
> URL: https://issues.apache.org/jira/browse/HIVE-25680
> Project: Hive
> Issue Type: Bug
> Components: Standalone Metastore
> Affects Versions: All Versions
> Reporter: Syed Shameerur Rahman
> Assignee: Syed Shameerur Rahman
> Priority: Major
> Labels: pull-request-available
> Fix For: 4.0.0
>
> Attachments: Screenshot 2021-11-08 at 2.39.30 PM.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When Apache Hue or any other application which uses #get_table_meta API is not gated to use any of the authorization model which HiveMetastore provides.
> For more information on Storage based Authorization Model : https://cwiki.apache.org/confluence/display/Hive/HCatalog+Authorization
> You can easily reproduce this with Apache Hive + Apache Hue
> {code:java}
> <property>
> <name>hive.security.metastore.authorization.manager</name>
> <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
> </property>
> <property>
> <name>hive.security.metastore.authenticator.manager</name>
> <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
> </property>
> <property>
> <name>hive.metastore.pre.event.listeners</name>
> <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
> </property>
> {code}
> {code:java}
> #!/bin/bash
> set -x
> hdfs dfs -mkdir /datasets
> hdfs dfs -mkdir /datasets/database1
> hdfs dfs -mkdir /datasets/database1/table1
> echo "stefano,1992" | hdfs dfs -put - /datasets/database1/table1/file1.csv
> hdfs dfs -chmod -R 700 /datasets/database1
> sudo tee -a setup.hql > /dev/null <<EOT
> CREATE DATABASE IF NOT EXISTS database1 LOCATION "/datasets/database1";
> CREATE EXTERNAL TABLE IF NOT EXISTS database1.table1 (
> name string,
> year int)
> ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ','
> LOCATION
> '/datasets/database1/table1';
> EOT
> hive -f setup.hql
> {code}
> 1. Login to Hue => create the first user called "admin" and provide a password Access the Hive Editor
> 2. On the SQL section on the left under Databases you should see default and database1 listed. Click on database1
> 3. As you can see a table called table1 is listed => this should not be possible as our admin user has no HDFS grants on /datasets/database1
> 4. run from the Hive editor the following query SHOW TABLES; The output shows a Permission denied error => this is the expected behavior
--
This message was sent by Atlassian Jira
(v8.20.1#820001)