You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Syed Shameerur Rahman (Jira)" <ji...@apache.org> on 2021/11/16 04:12:00 UTC

[jira] (HIVE-25680) Authorize #get_table_meta HiveMetastore Server API to use any of the HiveMetastore Authorization model

    [ https://issues.apache.org/jira/browse/HIVE-25680 ]


    Syed Shameerur Rahman deleted comment on HIVE-25680:
    ----------------------------------------------

was (Author: srahman):
[~kgyrtkirk] Could you please review the changes?

> Authorize #get_table_meta HiveMetastore Server API to use any of the HiveMetastore Authorization model
> ------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-25680
>                 URL: https://issues.apache.org/jira/browse/HIVE-25680
>             Project: Hive
>          Issue Type: Bug
>          Components: Standalone Metastore
>    Affects Versions: All Versions
>            Reporter: Syed Shameerur Rahman
>            Assignee: Syed Shameerur Rahman
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0
>
>         Attachments: Screenshot 2021-11-08 at 2.39.30 PM.png
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> When Apache Hue or any other application which uses #get_table_meta API is not gated to use any of the authorization model which HiveMetastore provides.
> For more information on Storage based Authorization Model : https://cwiki.apache.org/confluence/display/Hive/HCatalog+Authorization
> You can easily reproduce this with Apache Hive + Apache Hue
> {code:java}
>   <property>
>     <name>hive.security.metastore.authorization.manager</name>
>     <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
>   </property>
>     <property>
>     <name>hive.security.metastore.authenticator.manager</name>
>     <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
>   </property>
>     <property>
>     <name>hive.metastore.pre.event.listeners</name>
>     <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
>   </property>
> {code}
> {code:java}
> #!/bin/bash
> set -x
> hdfs dfs -mkdir /datasets
> hdfs dfs -mkdir /datasets/database1
> hdfs dfs -mkdir /datasets/database1/table1
> echo "stefano,1992" | hdfs dfs -put - /datasets/database1/table1/file1.csv
> hdfs dfs -chmod -R 700 /datasets/database1
> sudo tee -a setup.hql > /dev/null <<EOT
> CREATE DATABASE IF NOT EXISTS database1 LOCATION "/datasets/database1";
> CREATE EXTERNAL TABLE IF NOT EXISTS database1.table1 (
>   name string, 
>   year int)
> ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ','
> LOCATION
>   '/datasets/database1/table1';
> EOT
> hive -f setup.hql
> {code}
> 1. Login to Hue => create the first user called "admin" and provide a password Access the Hive Editor
> 2. On the SQL section on the left under Databases you should see default and database1 listed. Click on database1
> 3. As you can see a table called table1 is listed => this should not be possible as our admin user has no HDFS grants on /datasets/database1
> 4. run from the Hive editor the following query SHOW TABLES; The output shows a Permission denied error => this is the expected behavior



--
This message was sent by Atlassian Jira
(v8.20.1#820001)