You are viewing a plain text version of this content. The canonical link for it is here.

Posted to gitbox@hive.apache.org by GitBox <gi...@apache.org> on 2021/09/16 20:46:07 UTC

[GitHub] [hive] achennagiri opened a new pull request #2649: HIVE-25532: Fixing authorization for Kill Query command

achennagiri opened a new pull request #2649:
URL: https://github.com/apache/hive/pull/2649

### What changes were proposed in this pull request?
We added authorization support for Kill Query command a while back. Below is the ticket https://issues.apache.org/jira/browse/RANGER-1851

However, we have observed that this hasn't been working as expected. The Ranger service expects Hive to send in a privilege object of the type SERVICE_NAME but we can see below
https://github.com/apache/hive/blob/master/service/src/java/org/apache/hive/service/server/KillQueryImpl.java#L131 that it is sending an empty array list.
The Ranger service never throws an exception to this and this results in any user being able to kill any query even though they don't have necessary permissions.

### Why are the changes needed?
Currently, any user can kill any other query using the query id. Basically, KILL QUERY is an ADMIN level command and a user is supposed to have the necessary permissions to execute it without which it should fail.
We need this fix to address that bug.

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
This patch was used to create the hive-service jar. This dev jar was replaced on a cluster running Hive and Ranger services. The hiveserver logs were used to confirm that the checkPrivileges() call returns an exception on a user without sufficient permissions(Basically, any user without SERVICE_ADMIN permission is not allowed to execute Kill query).

Also, the logs are audited in the Ranger and they are as expected.

--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] achennagiri commented on pull request #2649: HIVE-25532: Fixing authorization for Kill Query command

Posted by GitBox <gi...@apache.org>.

achennagiri commented on pull request #2649:
URL: https://github.com/apache/hive/pull/2649#issuecomment-924184200


   Recheck
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] achennagiri commented on a change in pull request #2649: HIVE-25532: Fixing authorization for Kill Query command

Posted by GitBox <gi...@apache.org>.

achennagiri commented on a change in pull request #2649:
URL: https://github.com/apache/hive/pull/2649#discussion_r712374554



##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,6 +119,8 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
 
   private static boolean isAdmin() {
     boolean isAdmin = false;
+    // RANGER-1851
+    HivePrivilegeObject serviceNameObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, "hiveservice");

Review comment:
       So, currently the ranger service expects only "hiveservice" Ref. https://issues.apache.org/jira/browse/RANGER-1851. This has been the case since '17. I am even thinking of using the same for abort transactions as well. Do you see any reason why it needs to be made configurable?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] saihemanth-cloudera commented on a change in pull request #2649: HIVE-25532: Fixing authorization for Kill Query command

Posted by GitBox <gi...@apache.org>.

saihemanth-cloudera commented on a change in pull request #2649:
URL: https://github.com/apache/hive/pull/2649#discussion_r712518128



##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,6 +119,8 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
 
   private static boolean isAdmin() {
     boolean isAdmin = false;
+    // RANGER-1851
+    HivePrivilegeObject serviceNameObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, "hiveservice");

Review comment:
       LGTM




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] saihemanth-cloudera commented on a change in pull request #2649: HIVE-25532: Fixing authorization for Kill Query command

Posted by GitBox <gi...@apache.org>.

saihemanth-cloudera commented on a change in pull request #2649:
URL: https://github.com/apache/hive/pull/2649#discussion_r711241978



##########
File path: service/src/java/org/apache/hive/service/server/KillQueryImpl.java
##########
@@ -116,6 +119,8 @@ public static void killChildYarnJobs(Configuration conf, String tag, String doAs
 
   private static boolean isAdmin() {
     boolean isAdmin = false;
+    // RANGER-1851
+    HivePrivilegeObject serviceNameObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, "hiveservice");

Review comment:
       Instead of hard-cording "hiveservice" value, have you thought about making this configurable? 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org

[GitHub] [hive] kgyrtkirk merged pull request #2649: HIVE-25532: Fixing authorization for Kill Query command

Posted by GitBox <gi...@apache.org>.

kgyrtkirk merged pull request #2649:
URL: https://github.com/apache/hive/pull/2649


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org