You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2018/08/24 15:50:00 UTC

[jira] [Commented] (HIVE-20457) Create authorization mechanism for granting/revoking privileges to change Hive properties

    [ https://issues.apache.org/jira/browse/HIVE-20457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16591838#comment-16591838 ] 

Thejas M Nair commented on HIVE-20457:
--------------------------------------

When either sql standard authorization or ranger authorization is enabled, it automatically limits the configuration changes to configs in a whitelist. The config that is used for this can also be configured using [whitelist configuration|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.security.authorization.sqlstd.confwhitelist]

There is also [hive.conf.restricted.list|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.conf.restricted.list] config parameter. 

There is also another authorizer that does limited checks which includes whitelist auto-setup, which is in the works. This one would work well with storage based authorization.


> Create authorization mechanism for granting/revoking privileges to change Hive properties
> -----------------------------------------------------------------------------------------
>
>                 Key: HIVE-20457
>                 URL: https://issues.apache.org/jira/browse/HIVE-20457
>             Project: Hive
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Oleksiy Sayankin
>            Assignee: Oleksiy Sayankin
>            Priority: Critical
>              Labels: authorization
>
> At the moment any user in Hive can change any property of Hive. So he can set {{hive.exec.pre.hooks}} to hook that implements dangerous code. It would be nice to create roles and assign list of properties that particular role is able to modify. For example, {{admin}} role has permissions to change any property, and {{hive_client}} can change only {{hive.txn.timeout}}.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)