-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71532/
-----------------------------------------------------------
Review request for sentry.
Bugs: SENTRY-2533
https://issues.apache.org/jira/browse/SENTRY-2533
Repository: sentry
Description
-------
HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
disallowed some builtin UDFs such as java_method, reflect, reflect2 and
in_file. But Sentry does not black in_file up to now, so a malicious user can
use in_file in SQL queries to detect some specific files on the HS2 host, or to
detect whether a specific file has specific content. in_file should be added to
HIVE_UDF_BLACK_LIST.
Diffs
-----
sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
5c433290972d5ffc52ef342678b6b11e48f28cef
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
c6e14a56004a934a025cc7abb2fe6646e5d36768
Diff: https://reviews.apache.org/r/71532/diff/1/
Testing
-------
Added a unit test to test if it is properly blacked.
Thanks,
Wenchao Li
