[
https://issues.apache.org/jira/browse/SENTRY-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122131#comment-15122131
]
Anne Yu commented on SENTRY-1034:
---------------------------------
Hi [~Bearricade], is that possible you could provide more information here?
I've seen this once recently, but couldn't reproduce it. If you can provide
more details, that would be very helpful.
1) what kind of privileges user allianz_mval has? you can post show grant role
role_name on object results here.
2) does this happen only for this user or any other user? does this happen
occasionally or always reproducible?
3) does asdasdasdasd exist? or just a trash string.
Thanks a lot!
> Security leak in beeline connect command
> ----------------------------------------
>
> Key: SENTRY-1034
> URL: https://issues.apache.org/jira/browse/SENTRY-1034
> Project: Sentry
> Issue Type: Bug
> Components: Core
> Reporter: Istvan Vajnorak
>
> A possible info leak in the way how beeline connects to databases and uses
> the ACLs to prevent seeing unauthorised databases and tables.
> It turns out that one can connect to a database that one should not see, but
> listing it afterwards gives no tables. This is still somewhat a security
> breach as an attacker can gain insight what databases exist.
> The way the problem got identified:
> root@prod-vm-cdh-mgr-01 ~]# kinit -kt ~/allianz_mval.keytab allianz_mval
> [root@prod-vm-cdh-mgr-01 ~]# beeline
> Beeline version 1.1.0-cdh5.4.8 by Apache Hive
> beeline> !connect
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC
> scan complete in 6ms
> Connecting to
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC
> Enter username for
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:
> Enter password for
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:
> Connected to: Apache Hive (version 1.1.0-cdh5.4.8)
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://vm-cdh-01:10000/srive> show databases;
> -----------------+
> database_name
> -----------------+
> allianz_mvaldb
> default
> -----------------+
> 2 rows selected (0.726 seconds)
> 0: jdbc:hive2://vm-cdh-01:10000/srive> show tables;
> -----------+
> tab_name
> -----------+
> -----------+
> No rows selected (1.033 seconds)
> 0: jdbc:hive2://vm-cdh-01:10000/srive> !quit
> Closing: 0:
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC
> [root@prod-vm-cdh-mgr-01 ~]# beeline
> Beeline version 1.1.0-cdh5.4.8 by Apache Hive
> beeline> !connect
> jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC
> scan complete in 2ms
> Connecting to
> jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC
> Enter username for
> jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:
> Enter password for
> jdbc:hive2://vm-cdh-01:10000/asdasdasdasd;principal=hive/_HOST@MITKDC:
> Connected to: Apache Hive (version 1.1.0-cdh5.4.8)
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 0: jdbc:hive2://vm-cdh-01:10000/asdas> show tables;
> Error: Error while processing statement: FAILED: Execution Error, return code
> 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Database does not exist:
> asdasdasdasd (state=08S01,code=1)
> 0: jdbc:hive2://vm-cdh-01:10000/asdas> !connect
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC
> Connecting to
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC
> Enter username for
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:
> Enter password for
> jdbc:hive2://vm-cdh-01:10000/sriveradb;principal=hive/_HOST@MITKDC:
> Connected to: Apache Hive (version 1.1.0-cdh5.4.8)
> Driver: Hive JDBC (version 1.1.0-cdh5.4.8)
> Transaction isolation: TRANSACTION_REPEATABLE_READ
> 1: jdbc:hive2://vm-cdh-01:10000/srive> show tables;
> -----------+
> tab_name
> -----------+
> -----------+
> No rows selected (1.09 seconds)
> 1: jdbc:hive2://vm-cdh-01:10000/srive>
> 1: jdbc:hive2://vm-cdh-01:10000/srive>
> 1: jdbc:hive2://vm-cdh-01:10000/srive>
> 1: jdbc:hive2://vm-cdh-01:10000/srive>
> 1: jdbc:hive2://vm-cdh-01:10000/srive>
> 1: jdbc:hive2://vm-cdh-01:10000/srive> !quit;
> Unknown command: quit;
> 1: jdbc:hive2://vm-cdh-01:10000/srive> !quit;
> Unknown command: quit;
> 1: jdbc:hive2://vm-cdh-01:10000/srive> !quit
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
