You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Abhay (Jira)" <ji...@apache.org> on 2021/09/16 18:23:00 UTC

[jira] [Updated] (HIVE-25532) Fix authorization support for Kill Query Command

     [ https://issues.apache.org/jira/browse/HIVE-25532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Abhay updated HIVE-25532:
-------------------------
    Description: 
We added authorization for Kill Query command some time back with the help of Ranger. Below is the ticket https://issues.apache.org/jira/browse/RANGER-1851

However, we have observed that this hasn't been working as expected. The Ranger service expects Hive to send in a privilege object of the type SERVICE_NAME but we can see below
 [https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/server/KillQueryImpl.java#L131] that it is sending an empty array list. 
 The Ranger service never throws an exception to this and this results in any user being able to kill any query even though they don't have necessary permissions.

  was:
We added authorization for Kill Query command some time back with the help of Ranger. Below is the ticket https://issues.apache.org/jira/browse/RANGER-1851

However, we have observed that this hasn't been working as expected. The Ranger service expects Hive to send in a privilege object of the type SERVICE_NAME but we can see below
[https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/server/KillQueryImpl.java#L131] that it is sending an empty array list. 
The Ranger service never throws an exception to this and this results in any user being able to kill any other query even though they don't have necessary permissions.


> Fix authorization support for Kill Query Command
> ------------------------------------------------
>
>                 Key: HIVE-25532
>                 URL: https://issues.apache.org/jira/browse/HIVE-25532
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: Abhay
>            Assignee: Abhay
>            Priority: Major
>
> We added authorization for Kill Query command some time back with the help of Ranger. Below is the ticket https://issues.apache.org/jira/browse/RANGER-1851
> However, we have observed that this hasn't been working as expected. The Ranger service expects Hive to send in a privilege object of the type SERVICE_NAME but we can see below
>  [https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/server/KillQueryImpl.java#L131] that it is sending an empty array list. 
>  The Ranger service never throws an exception to this and this results in any user being able to kill any query even though they don't have necessary permissions.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)