You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@submarine.apache.org by "Pedro Rossi (Jira)" <ji...@apache.org> on 2020/07/09 14:31:00 UTC
[jira] [Created] (SUBMARINE-562) Secure raw read and writes to hdfs
Pedro Rossi created SUBMARINE-562:
-------------------------------------
Summary: Secure raw read and writes to hdfs
Key: SUBMARINE-562
URL: https://issues.apache.org/jira/browse/SUBMARINE-562
Project: Apache Submarine
Issue Type: Improvement
Components: Security
Reporter: Pedro Rossi
I was testing the security plugin inside my company and I noticed that either running a "select * from table" or reading directly the table path on hdfs produces the same plan but in the raw path read it shows the path URI only and this is not considered into the PrivilegesBuilder class, I designed an internal patch for this module at my company to address this issue by adding this to the buildQuery function
{code:java}
case l: LogicalRelation =>
if (l.catalogTable.nonEmpty) {
mergeProjection(l.catalogTable.get)
} else if (l.relation.isInstanceOf[HadoopFsRelation]) {
for (path <- l.relation.asInstanceOf[HadoopFsRelation].location.rootPaths)
privilegeObjects += new SparkPrivilegeObject(
SparkPrivilegeObjectType.DFS_URI, path.toString, path.toString)
}
{code}
and this to the buildCommand function
{code:java}
case i: InsertIntoHadoopFsRelationCommand =>
i.catalogTable foreach { t =>
addTableOrViewLevelObjs(
t.identifier,
outputObjs,
i.partitionColumns.map(_.name),
t.schema.fieldNames)
}
if (i.catalogTable.isEmpty) {
outputObjs += new SparkPrivilegeObject(
SparkPrivilegeObjectType.DFS_URI, i.outputPath.toString, i.outputPath.toString)
}
{code}
but I get this project proposes Hive authorization and not HDFS authorization, but even so people in the Spark environment tend to write temporary files without metastore tables also and this should pass through authorization.
I am creating this issue in order to ask the maintainers if this is relevant and if this is in the same scope of the Security module in order for me to provide a patch for this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@submarine.apache.org
For additional commands, e-mail: dev-help@submarine.apache.org