You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Jake Moon (JIRA)" <ji...@apache.org> on 2018/01/09 05:12:00 UTC
[jira] [Created] (RANGER-1947) RangerHivePlugin does not authorize
location on INSERT OVERWRITE DIRECTORY query
Jake Moon created RANGER-1947:
---------------------------------
Summary: RangerHivePlugin does not authorize location on INSERT OVERWRITE DIRECTORY query
Key: RANGER-1947
URL: https://issues.apache.org/jira/browse/RANGER-1947
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: 0.7.1
Environment: hadoop 2.7.5 + hive 2.3.2 + ranger 0.7.1
Reporter: Jake Moon
{code}
insert overwrite directory '/user/user1/nonewrite3'
ROW FORMAT DELIMITED
FIELDS TERMINATED BY ','
SELECT u.id, u.age, u.city, c.city
FROM user_table u JOIN city_table c ON (u.city = c.code)
WHERE u.age > 25
AND u.age <= 28
AND c.city = 'New York'
{code}
This query's hive operation type is HiveOperationType.QUERY, and also have a write location to 'hdfs://my.cluster/user/user1/nonewrite3'
RangerHiveAuthorizer must authorize the location, but getURIAccessType(HiveOperationType.QUERY) always return FsAction.NONE, so it's not work.
If hive-server2 have enough permission on hdfs with no impersonation, every user can format hdfs like this.
{code}
insert overwrite directory '/'
ROW FORMAT DELIMITED
FIELDS TERMINATED BY ','
SELECT 1
{code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)