You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Syed Shameerur Rahman (Jira)" <ji...@apache.org> on 2021/11/08 09:30:00 UTC

[jira] [Assigned] (HIVE-25680) Authorize #get_table_meta HiveMetastore Server API to use any of the HiveMetastore Authorization model

     [ https://issues.apache.org/jira/browse/HIVE-25680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Syed Shameerur Rahman reassigned HIVE-25680:
--------------------------------------------


> Authorize #get_table_meta HiveMetastore Server API to use any of the HiveMetastore Authorization model
> ------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-25680
>                 URL: https://issues.apache.org/jira/browse/HIVE-25680
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: All Versions
>            Reporter: Syed Shameerur Rahman
>            Assignee: Syed Shameerur Rahman
>            Priority: Major
>             Fix For: 4.0.0
>
>         Attachments: Screenshot 2021-11-08 at 2.39.30 PM.png
>
>
> When Apache Hue or any other application which uses #get_table_meta API is not gated to use any of the authorization model which HiveMetastore provides.
> For more information on Storage based Authorization Model : https://cwiki.apache.org/confluence/display/Hive/HCatalog+Authorization
> You can easily reproduce this with Apache Hive + Apache Hue
> {code:java}
>   <property>
>     <name>hive.security.metastore.authorization.manager</name>
>     <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
>   </property>
>     <property>
>     <name>hive.security.metastore.authenticator.manager</name>
>     <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
>   </property>
>     <property>
>     <name>hive.metastore.pre.event.listeners</name>
>     <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
>   </property>
> {code}
> {code:java}
> #!/bin/bash
> set -x
> hdfs dfs -mkdir /datasets
> hdfs dfs -mkdir /datasets/database1
> hdfs dfs -mkdir /datasets/database1/table1
> echo "stefano,1992" | hdfs dfs -put - /datasets/database1/table1/file1.csv
> hdfs dfs -chmod -R 700 /datasets/database1
> sudo tee -a setup.hql > /dev/null <<EOT
> CREATE DATABASE IF NOT EXISTS database1 LOCATION "/datasets/database1";
> CREATE EXTERNAL TABLE IF NOT EXISTS database1.table1 (
>   name string, 
>   year int)
> ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ','
> LOCATION
>   '/datasets/database1/table1';
> EOT
> hive -f setup.hql
> {code}
> 1. Login to Hue => create the first user called "admin" and provide a password Access the Hive Editor
> 2. On the SQL section on the left under Databases you should see default and database1 listed. Click on database1
> 3. As you can see a table called table1 is listed => this should not be possible as our admin user has no HDFS grants on /datasets/database1
> 4. run from the Hive editor the following query SHOW TABLES; The output shows a Permission denied error => this is the expected behavior



--
This message was sent by Atlassian Jira
(v8.20.1#820001)