[jira] [Updated] (HIVE-8893) Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode

Szehon Ho (JIRA) Thu, 20 Nov 2014 11:37:49 -0800

     [ 
https://issues.apache.org/jira/browse/HIVE-8893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Szehon Ho updated HIVE-8893:
----------------------------
    Labels: TODOC15  (was: )

Adds two properties: 
* hive.server2.builtin.udf.whitelist
* hive.server2.builtin.udf.blacklist

Have to doc in this section:

[https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-HiveServer2|https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-HiveServer2]

> Implement whitelist for builtin UDFs to avoid untrused code execution in 
> multiuser mode
> ---------------------------------------------------------------------------------------
>
>                 Key: HIVE-8893
>                 URL: https://issues.apache.org/jira/browse/HIVE-8893
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, HiveServer2, SQL
>    Affects Versions: 0.14.0
>            Reporter: Prasad Mujumdar
>            Assignee: Prasad Mujumdar
>              Labels: TODOC15
>             Fix For: 0.15.0
>
>         Attachments: HIVE-8893.3.patch, HIVE-8893.4.patch, HIVE-8893.5.patch, 
> HIVE-8893.6.patch
>
>
> The udfs like reflect() or java_method() enables executing a java method as 
> udf. While this offers lot of flexibility in the standalone mode, it can 
> become a security loophole in a secure multiuser environment. For example, in 
>  HiveServer2 one can execute any available java code with user hive's 
> credentials.
> We need a whitelist and blacklist to restrict builtin udfs in Hiveserver2.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (HIVE-8893) Implement whitelist for builtin UDFs to avoid untrused code execution in multiuser mode

Reply via email to