[
https://issues.apache.org/jira/browse/RANGER-738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15034380#comment-15034380
]
Don Bosco Durai commented on RANGER-738:
----------------------------------------
Yes, the key issue is that you can run system commands. These commands will run
as user "hive" in HiveServer2, unless we fork another process and run it as the
end user (similar to YARN).
> Server-wide control over TRANSFORM clause in Hive
> -------------------------------------------------
>
> Key: RANGER-738
> URL: https://issues.apache.org/jira/browse/RANGER-738
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Scott C Gray
> Labels: features, security
>
> The TRANSFORM statement in Hive is a big security hole with Hive run without
> impersonation, so when SQL Standard Authorization is enabled, the feature id
> completely disabled which is a bit of a sledgehammer approach to securing
> this statement.
> Sentry added support for restricting this statement at a per-user/group
> level, which should be adopted by Ranger.
> https://issues.apache.org/jira/browse/SENTRY-598
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
