> On 八月 28, 2015, 1:47 a.m., Li Li wrote: > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryFilterDDLTask.java, > > line 79 > > <https://reviews.apache.org/r/37794/diff/4/?file=1055835#file1055835line79> > > > > As showColumns is public method in its parent class, it may have > > potential security problem when client directly call > > SentryFilterDDLTask.showColumns(..). Maybe it is better to just override > > showColumns like the one used in your first version? > > shen guoquan wrote: > The reason why I change this source code is I found all of show function > in the DDLTask is private except showColumn. I don't want to override the > only showColumn function. I will do some next jiras about show metadata such > as "describe table" > and "show tables". I want to keep code consistency. So I change it. > Thanks for your comment. > > Li Li wrote: > I am just thinking about if there is potential security situation when > client bypass execute method and directly call showColumns, then it can get > all columns even if it does not have the permission.
As far as I know, Hive always execute the Task.execute method to do some operation, such as get metadatas or run mapreduce jobs. There is no chance to bypass execute method. Thanks for your comments. - shen ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/37794/#review96815 ----------------------------------------------------------- On 八月 27, 2015, 8:21 a.m., shen guoquan wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/37794/ > ----------------------------------------------------------- > > (Updated 八月 27, 2015, 8:21 a.m.) > > > Review request for sentry, Colin Ma, Dapeng Sun, and Sravya Tirukkovalur. > > > Repository: sentry > > > Description > ------- > > grant select(s) on table test_tb to role test_role; > > show columns in test_tb; > > Error: Error while compiling statement: FAILED: SemanticException No valid > privileges > Required privileges for this query: > Server=server1->Db=test_db->Table=test_tb->action=insert;Server=server1->Db=test_db->Table=test_tb->action=select; > (state=42000,code=40000) > > It should show s column > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryFilterDDLTask.java > PRE-CREATION > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java > ddfb222 > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java > 8cd82ef > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java > 0291b6c > > sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java > 526a0e0 > > sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestColumnEndToEnd.java > 159b9d9 > > Diff: https://reviews.apache.org/r/37794/diff/ > > > Testing > ------- > > Run local unit case > > > Thanks, > > shen guoquan > >
