You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by br...@apache.org on 2015/01/30 02:49:49 UTC
svn commit: r1655902 - in /hive/branches/branch-1.1: ./
itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/
service/src/java/org/apache/hive/service/cli/ service/src/ja...
Author: brock
Date: Fri Jan 30 01:49:48 2015
New Revision: 1655902
URL: http://svn.apache.org/r1655902
Log:
HIVE-9473 : sql std auth should disallow built-in udfs that allow any java methods to be called (Thejas Nair, reviewed by Jason Dere)
Added:
hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java
- copied unchanged from r1655895, hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthUDFBlacklist.java
Modified:
hive/branches/branch-1.1/ (props changed)
hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java
hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
Propchange: hive/branches/branch-1.1/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jan 30 01:49:48 2015
@@ -3,4 +3,4 @@
/hive/branches/spark:1608589-1654414
/hive/branches/tez:1494760-1622766
/hive/branches/vectorization:1466908-1527856
-/hive/trunk:1655202,1655210,1655213,1655436,1655460,1655894
+/hive/trunk:1655202,1655210,1655213,1655436,1655460,1655894-1655895
Modified: hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java (original)
+++ hive/branches/branch-1.1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java Fri Jan 30 01:49:48 2015
@@ -140,4 +140,39 @@ public class TestJdbcWithSQLAuthorizatio
}
}
+ @Test
+ public void testBlackListedUdfUsage() throws Exception {
+
+ // create tables as user1
+ Connection hs2Conn = getConnection("user1");
+
+ Statement stmt = hs2Conn.createStatement();
+ String tableName1 = "test_jdbc_sql_auth_udf";
+ stmt.execute("create table " + tableName1 + "(i int) ");
+
+ verifyUDFNotAllowed(stmt, tableName1, "reflect('java.lang.String', 'valueOf', 1)", "reflect");
+ verifyUDFNotAllowed(stmt, tableName1, "reflect2('java.lang.String', 'valueOf', 1)", "reflect2");
+ verifyUDFNotAllowed(stmt, tableName1, "java_method('java.lang.String', 'valueOf', 1)",
+ "java_method");
+
+ stmt.close();
+ hs2Conn.close();
+ }
+
+ private void verifyUDFNotAllowed(Statement stmt, String tableName, String udfcall, String udfname) {
+ try {
+ stmt.execute("SELECT " + udfcall + " from " + tableName);
+ fail("Disallowed udf usage should have resulted in error");
+ } catch (SQLException e) {
+ checkAssertContains("UDF " + udfname + " is not allowed", e.getMessage());
+ }
+ }
+
+ private void checkAssertContains(String expectedSubString, String message) {
+ if (message.contains(expectedSubString)) {
+ return;
+ }
+ fail("Message [" + message + "] does not contain substring [" + expectedSubString + "]");
+ }
+
}
Modified: hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java (original)
+++ hive/branches/branch-1.1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java Fri Jan 30 01:49:48 2015
@@ -58,6 +58,13 @@ public class SettableConfigUpdater {
}
hiveConf.setModifiableWhiteListRegex(whiteListParamsStr);
+
+ // disallow udfs that can potentially allow untrusted code execution
+ // if admin has already customized this list, honor that
+ String curBlackList = hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST);
+ if (curBlackList == null || curBlackList.trim().isEmpty()) {
+ hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method");
+ }
}
}
Modified: hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java (original)
+++ hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/CLIService.java Fri Jan 30 01:49:48 2015
@@ -37,7 +37,7 @@ import org.apache.hadoop.hive.metastore.
import org.apache.hadoop.hive.ql.exec.FunctionRegistry;
import org.apache.hadoop.hive.ql.metadata.Hive;
import org.apache.hadoop.hive.ql.metadata.HiveException;
-import org.apache.hadoop.hive.shims.ShimLoader;
+import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.hive.shims.Utils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hive.service.CompositeService;
@@ -48,9 +48,6 @@ import org.apache.hive.service.cli.sessi
import org.apache.hive.service.cli.thrift.TProtocolVersion;
import org.apache.hive.service.server.HiveServer2;
-import com.google.common.base.Splitter;
-import com.google.common.collect.Lists;
-
/**
* CLIService.
*
@@ -80,6 +77,11 @@ public class CLIService extends Composit
@Override
public synchronized void init(HiveConf hiveConf) {
+ try {
+ applyAuthorizationConfigPolicy(hiveConf);
+ } catch (HiveException e) {
+ throw new RuntimeException("Error applying authorization policy on hive configuration", e);
+ }
this.hiveConf = hiveConf;
sessionManager = new SessionManager(hiveServer2);
addService(sessionManager);
@@ -113,6 +115,15 @@ public class CLIService extends Composit
super.init(hiveConf);
}
+ private void applyAuthorizationConfigPolicy(HiveConf newHiveConf) throws HiveException {
+ // authorization setup using SessionState should be revisited eventually, as
+ // authorization and authentication are not session specific settings
+ SessionState ss = new SessionState(newHiveConf);
+ ss.setIsHiveServerQuery(true);
+ SessionState.start(ss);
+ ss.applyAuthorizationPolicy();
+ }
+
private void setupBlockedUdfs() {
FunctionRegistry.setupPermissionsForBuiltinUDFs(
hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_WHITELIST),
Modified: hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java?rev=1655902&r1=1655901&r2=1655902&view=diff
==============================================================================
--- hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java (original)
+++ hive/branches/branch-1.1/service/src/java/org/apache/hive/service/cli/session/SessionManager.java Fri Jan 30 01:49:48 2015
@@ -36,8 +36,6 @@ import org.apache.commons.logging.LogFac
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.hooks.HookUtils;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
-import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hive.service.CompositeService;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.SessionHandle;
@@ -76,11 +74,6 @@ public class SessionManager extends Comp
@Override
public synchronized void init(HiveConf hiveConf) {
- try {
- applyAuthorizationConfigPolicy(hiveConf);
- } catch (HiveException e) {
- throw new RuntimeException("Error applying authorization policy on hive configuration", e);
- }
this.hiveConf = hiveConf;
//Create operation log root directory, if operation logging is enabled
if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_LOGGING_OPERATION_ENABLED)) {
@@ -116,15 +109,6 @@ public class SessionManager extends Comp
hiveConf, ConfVars.HIVE_SERVER2_IDLE_SESSION_TIMEOUT, TimeUnit.MILLISECONDS);
}
- private void applyAuthorizationConfigPolicy(HiveConf newHiveConf) throws HiveException {
- // authorization setup using SessionState should be revisited eventually, as
- // authorization and authentication are not session specific settings
- SessionState ss = new SessionState(newHiveConf);
- ss.setIsHiveServerQuery(true);
- SessionState.start(ss);
- ss.applyAuthorizationPolicy();
- }
-
private void initOperationLogRootDir() {
operationLogRootDir = new File(
hiveConf.getVar(ConfVars.HIVE_SERVER2_LOGGING_OPERATION_LOG_LOCATION));