You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2015/01/30 01:05:51 UTC
svn commit: r1655891 - in /hive/branches/branch-1.0:
itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/
service/src/java/org/apache/hive/service/cli/ service/src/java/...
Author: thejas
Date: Fri Jan 30 00:05:50 2015
New Revision: 1655891
URL: http://svn.apache.org/r1655891
Log:
HIVE-9473 : sql std auth should disallow built-in udfs that allow any java methods to be called (Thejas Nair, reviewed by Jason Dere)
Added:
hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java
Modified:
hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
hive/branches/branch-1.0/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/CLIService.java
hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
Added: hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java?rev=1655891&view=auto
==============================================================================
--- hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java (added)
+++ hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java Fri Jan 30 00:05:50 2015
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc.authorization;
+
+import static org.junit.Assert.fail;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.HashMap;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.After;
+import org.junit.Test;
+
+/**
+ * Test SQL standard authorization with jdbc/hiveserver2. Specifically udf blacklist behavior.
+ * This test needs to start minihs2 with specific configuration, so it is in a different
+ * test file from {@link TestJdbcWithSQLAuthorization}
+ */
+public class TestJdbcWithSQLAuthUDFBlacklist {
+ private MiniHS2 miniHS2 = null;
+
+ public void startHS2(HiveConf conf) throws Exception {
+ Class.forName(MiniHS2.getJdbcDriverName());
+
+ conf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, SQLStdHiveAuthorizerFactory.class.getName());
+ conf.setVar(ConfVars.HIVE_AUTHENTICATOR_MANAGER, SessionStateUserAuthenticator.class.getName());
+ conf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+ conf.setBoolVar(ConfVars.HIVE_SUPPORT_CONCURRENCY, false);
+ conf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, false);
+
+ miniHS2 = new MiniHS2(conf);
+ miniHS2.start(new HashMap<String, String>());
+ }
+
+ @After
+ public void shutDownHS2() throws Exception {
+ if (miniHS2.isStarted()) {
+ miniHS2.stop();
+ }
+ }
+
+ @Test
+ public void testBlackListedUdfUsage() throws Exception {
+ HiveConf conf = new HiveConf();
+ conf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "sqrt");
+ startHS2(conf);
+
+ // create tables as user1
+ Connection hs2Conn = DriverManager.getConnection(miniHS2.getJdbcURL(), "user1", "bar");
+
+ Statement stmt = hs2Conn.createStatement();
+ String tableName1 = "test_jdbc_sql_auth_udf";
+ stmt.execute("create table " + tableName1 + "(i int) ");
+
+ verifyUDFNotAllowed(stmt, tableName1, "sqrt(1)", "sqrt");
+
+ // verify udf reflect is allowed (no exception will be thrown)
+ stmt.execute("SELECT reflect('java.lang.String', 'valueOf', 1) from " + tableName1);
+ stmt.close();
+ hs2Conn.close();
+ }
+
+ private void verifyUDFNotAllowed(Statement stmt, String tableName, String udfcall, String udfname) {
+ try {
+ stmt.execute("SELECT " + udfcall + " from " + tableName);
+ fail("Disallowed udf usage should have resulted in error");
+ } catch (SQLException e) {
+ checkAssertContains("UDF " + udfname + " is not allowed", e.getMessage());
+ }
+ }
+
+ private void checkAssertContains(String expectedSubString, String message) {
+ if (message.contains(expectedSubString)) {
+ return;
+ }
+ fail("Message [" + message + "] does not contain substring [" + expectedSubString + "]");
+ }
+
+}
Modified: hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java?rev=1655891&r1=1655890&r2=1655891&view=diff
==============================================================================
--- hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java (original)
+++ hive/branches/branch-1.0/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java Fri Jan 30 00:05:50 2015
@@ -140,4 +140,39 @@ public class TestJdbcWithSQLAuthorizatio
}
}
+ @Test
+ public void testBlackListedUdfUsage() throws Exception {
+
+ // create tables as user1
+ Connection hs2Conn = getConnection("user1");
+
+ Statement stmt = hs2Conn.createStatement();
+ String tableName1 = "test_jdbc_sql_auth_udf";
+ stmt.execute("create table " + tableName1 + "(i int) ");
+
+ verifyUDFNotAllowed(stmt, tableName1, "reflect('java.lang.String', 'valueOf', 1)", "reflect");
+ verifyUDFNotAllowed(stmt, tableName1, "reflect2('java.lang.String', 'valueOf', 1)", "reflect2");
+ verifyUDFNotAllowed(stmt, tableName1, "java_method('java.lang.String', 'valueOf', 1)",
+ "java_method");
+
+ stmt.close();
+ hs2Conn.close();
+ }
+
+ private void verifyUDFNotAllowed(Statement stmt, String tableName, String udfcall, String udfname) {
+ try {
+ stmt.execute("SELECT " + udfcall + " from " + tableName);
+ fail("Disallowed udf usage should have resulted in error");
+ } catch (SQLException e) {
+ checkAssertContains("UDF " + udfname + " is not allowed", e.getMessage());
+ }
+ }
+
+ private void checkAssertContains(String expectedSubString, String message) {
+ if (message.contains(expectedSubString)) {
+ return;
+ }
+ fail("Message [" + message + "] does not contain substring [" + expectedSubString + "]");
+ }
+
}
Modified: hive/branches/branch-1.0/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.0/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java?rev=1655891&r1=1655890&r2=1655891&view=diff
==============================================================================
--- hive/branches/branch-1.0/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java (original)
+++ hive/branches/branch-1.0/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java Fri Jan 30 00:05:50 2015
@@ -58,6 +58,13 @@ public class SettableConfigUpdater {
}
hiveConf.setModifiableWhiteListRegex(whiteListParamsStr);
+
+ // disallow udfs that can potentially allow untrusted code execution
+ // if admin has already customized this list, honor that
+ String curBlackList = hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST);
+ if (curBlackList == null || curBlackList.trim().isEmpty()) {
+ hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method");
+ }
}
}
Modified: hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/CLIService.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/CLIService.java?rev=1655891&r1=1655890&r2=1655891&view=diff
==============================================================================
--- hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/CLIService.java (original)
+++ hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/CLIService.java Fri Jan 30 00:05:50 2015
@@ -43,13 +43,11 @@ import org.apache.hive.service.Composite
import org.apache.hive.service.ServiceException;
import org.apache.hive.service.auth.HiveAuthFactory;
import org.apache.hive.service.cli.operation.Operation;
+import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hive.service.cli.session.SessionManager;
import org.apache.hive.service.cli.thrift.TProtocolVersion;
import org.apache.hive.service.server.HiveServer2;
-import com.google.common.base.Splitter;
-import com.google.common.collect.Lists;
-
/**
* CLIService.
*
@@ -79,6 +77,11 @@ public class CLIService extends Composit
@Override
public synchronized void init(HiveConf hiveConf) {
+ try {
+ applyAuthorizationConfigPolicy(hiveConf);
+ } catch (HiveException e) {
+ throw new RuntimeException("Error applying authorization policy on hive configuration", e);
+ }
this.hiveConf = hiveConf;
sessionManager = new SessionManager(hiveServer2);
addService(sessionManager);
@@ -112,6 +115,15 @@ public class CLIService extends Composit
super.init(hiveConf);
}
+ private void applyAuthorizationConfigPolicy(HiveConf newHiveConf) throws HiveException {
+ // authorization setup using SessionState should be revisited eventually, as
+ // authorization and authentication are not session specific settings
+ SessionState ss = new SessionState(newHiveConf);
+ ss.setIsHiveServerQuery(true);
+ SessionState.start(ss);
+ ss.applyAuthorizationPolicy();
+ }
+
private void setupBlockedUdfs() {
FunctionRegistry.setupPermissionsForBuiltinUDFs(
hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_WHITELIST),
Modified: hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/session/SessionManager.java?rev=1655891&r1=1655890&r2=1655891&view=diff
==============================================================================
--- hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/session/SessionManager.java (original)
+++ hive/branches/branch-1.0/service/src/java/org/apache/hive/service/cli/session/SessionManager.java Fri Jan 30 00:05:50 2015
@@ -36,8 +36,6 @@ import org.apache.commons.logging.LogFac
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.hooks.HookUtils;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
-import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hive.service.CompositeService;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.SessionHandle;
@@ -76,11 +74,6 @@ public class SessionManager extends Comp
@Override
public synchronized void init(HiveConf hiveConf) {
- try {
- applyAuthorizationConfigPolicy(hiveConf);
- } catch (HiveException e) {
- throw new RuntimeException("Error applying authorization policy on hive configuration", e);
- }
this.hiveConf = hiveConf;
//Create operation log root directory, if operation logging is enabled
if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_LOGGING_OPERATION_ENABLED)) {
@@ -116,15 +109,6 @@ public class SessionManager extends Comp
hiveConf, ConfVars.HIVE_SERVER2_IDLE_SESSION_TIMEOUT, TimeUnit.MILLISECONDS);
}
- private void applyAuthorizationConfigPolicy(HiveConf newHiveConf) throws HiveException {
- // authorization setup using SessionState should be revisited eventually, as
- // authorization and authentication are not session specific settings
- SessionState ss = new SessionState(newHiveConf);
- ss.setIsHiveServerQuery(true);
- SessionState.start(ss);
- ss.applyAuthorizationPolicy();
- }
-
private void initOperationLogRootDir() {
operationLogRootDir = new File(
hiveConf.getVar(ConfVars.HIVE_SERVER2_LOGGING_OPERATION_LOG_LOCATION));