[jira] [Created] (SENTRY-781) User can create/run function under a database that he/she has no access

Wed, 24 Jun 2015 20:20:02 -0700 

Eric Lin created SENTRY-781:
-------------------------------

             Summary: User can create/run function under a database that he/she 
has no access
                 Key: SENTRY-781
                 URL: https://issues.apache.org/jira/browse/SENTRY-781
             Project: Sentry
          Issue Type: Bug
          Components: Hive Plugin
    Affects Versions: 1.4.0
            Reporter: Eric Lin


When user has no access to a particular database, he/she is still able to 
create permanent function in it. 

For example, a role has no access to database "udf_test", as show by the "show 
databases" command:

+----------------+--+
| database_name  |
+----------------+--+
| default        |
+----------------+--+

However, this role can do the following two things:

0: jdbc:hive2://10.17.74.148:10000/default> create function udf_test.upper_test 
as 'com.elin.ToUpper';
No rows affected (0.216 seconds)

The jar file has been loaded into aux directory for Hive.

0: jdbc:hive2://10.17.74.148:10000/default> select udf_test.upper_test(code) 
from sample_07 limit 10;
INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
WARN  : Hadoop command-line option parsing not performed. Implement the Tool 
interface and execute your application with ToolRunner to remedy this.
INFO  : number of splits:1
INFO  : Submitting tokens for job: job_1434092815442_0004
INFO  : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident: 
(HDFS_DELEGATION_TOKEN token 24 for hive)
INFO  : The url to track the job: 
http://host-10-17-74-148.coe.cloudera.com:8088/proxy/application_1434092815442_0004/
INFO  : Starting Job = job_1434092815442_0004, Tracking URL = 
http://host-10-17-74-148.coe.cloudera.com:8088/proxy/application_1434092815442_0004/
INFO  : Kill Command = 
/opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job  
-kill job_1434092815442_0004
INFO  : Hadoop job information for Stage-1: number of mappers: 1; number of 
reducers: 0
INFO  : 2015-06-19 17:04:48,003 Stage-1 map = 0%,  reduce = 0%
INFO  : 2015-06-19 17:05:08,172 Stage-1 map = 100%,  reduce = 0%, Cumulative 
CPU 3.16 sec
INFO  : MapReduce Total cumulative CPU time: 3 seconds 160 msec
INFO  : Ended Job = job_1434092815442_0004


This violates the sentry permission mechanism.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to