You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Wenchao Li (Jira)" <ji...@apache.org> on 2020/05/13 13:18:00 UTC

[jira] [Updated] (HIVE-23461) Needs to capture input/output entities in explainRewrite

     [ https://issues.apache.org/jira/browse/HIVE-23461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wenchao Li updated HIVE-23461:
------------------------------
    Description: 
HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd authorizizer, the corresponding explain statement will be disallowed either.

However, ExplainSQRewriteSemanticAnalyzer also uses an instance of DDLSemanticAnalyzer to analyze the explain rewrite query.
{code:java}
SemanticAnalyzer sem = (SemanticAnalyzer)
 SemanticAnalyzerFactory.get(queryState, input);
sem.analyze(input, ctx);
sem.validate();{code}
 

The inputs/outputs entities for this query are never set on the instance of ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the HookContext in the calling Driver code. It is a similar issue to HIVE-18778.

  was:
HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd authorizizer, the corresponding explain statement will be disallowed either.

However, ExplainSQRewriteSemanticAnalyzer also uses an instance of DDLSemanticAnalyzer to analyze the explain rewrite query.

 
{code:java}
SemanticAnalyzer sem = (SemanticAnalyzer)
 SemanticAnalyzerFactory.get(queryState, input);
sem.analyze(input, ctx);
sem.validate();

The inputs/outputs entities for this query are never set on the instance of ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the HookContext in the calling Driver code. It is a similar issue to HIVE-18778.{code}
 


> Needs to capture input/output entities in explainRewrite
> --------------------------------------------------------
>
>                 Key: HIVE-23461
>                 URL: https://issues.apache.org/jira/browse/HIVE-23461
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Wenchao Li
>            Priority: Major
>
> HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd authorizizer, the corresponding explain statement will be disallowed either.
> However, ExplainSQRewriteSemanticAnalyzer also uses an instance of DDLSemanticAnalyzer to analyze the explain rewrite query.
> {code:java}
> SemanticAnalyzer sem = (SemanticAnalyzer)
>  SemanticAnalyzerFactory.get(queryState, input);
> sem.analyze(input, ctx);
> sem.validate();{code}
>  
> The inputs/outputs entities for this query are never set on the instance of ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the HookContext in the calling Driver code. It is a similar issue to HIVE-18778.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)