You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Jake Moon (JIRA)" <ji...@apache.org> on 2018/01/09 05:12:00 UTC

[jira] [Created] (RANGER-1947) RangerHivePlugin does not authorize location on INSERT OVERWRITE DIRECTORY query

Jake Moon created RANGER-1947:
---------------------------------

             Summary: RangerHivePlugin does not authorize location on INSERT OVERWRITE DIRECTORY query
                 Key: RANGER-1947
                 URL: https://issues.apache.org/jira/browse/RANGER-1947
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 0.7.1
         Environment: hadoop 2.7.5 + hive 2.3.2 + ranger 0.7.1
            Reporter: Jake Moon


{code}
insert overwrite directory '/user/user1/nonewrite3'
ROW FORMAT DELIMITED 
FIELDS TERMINATED BY ','
SELECT u.id, u.age, u.city, c.city
FROM user_table  u JOIN city_table c ON (u.city = c.code)
WHERE u.age > 25
AND u.age <= 28
AND c.city = 'New York'
{code}

This query's hive operation type is HiveOperationType.QUERY, and also have a write location to 'hdfs://my.cluster/user/user1/nonewrite3'

RangerHiveAuthorizer must authorize the location, but getURIAccessType(HiveOperationType.QUERY) always return FsAction.NONE, so it's not work.

If hive-server2 have enough permission on hdfs with no impersonation, every user can format hdfs like this.
{code}
insert overwrite directory '/'
ROW FORMAT DELIMITED 
FIELDS TERMINATED BY ','
SELECT 1
{code}




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)