> On Nov. 16, 2015, 9:29 p.m., Sravya Tirukkovalur wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java,
> > line 338
> > <https://reviews.apache.org/r/40316/diff/2/?file=1125743#file1125743line338>
> >
> > Handle case sensitivity?
Hive takes care of this for us. We could call lower on it again if we'd like
but that seems like overkill. Probably should add this to the initWhiteList()
function though.
>From a live cluster running this patch:
select ReFleCt('java.net.URLDecoder', 'decode', 'http://www.apache.org',
'utf-8') from hive1;
Error: Error while compiling statement: FAILED: AuthorizationException The UDF
reflect is not found in the list of allowed UDFs (state=42000,code=40000)
Let me know what you think and I'll adjust accordingly
> On Nov. 16, 2015, 9:29 p.m., Sravya Tirukkovalur wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java,
> > line 314
> > <https://reviews.apache.org/r/40316/diff/2/?file=1125743#file1125743line314>
> >
> > Looks like this can cause overhead for all commands. Looking at how we
> > can restrict these for only queries which have a TOK_FUNCTION.
Yeah I tryed to accomplish it this way at first. The problem is TOK_FUNCTION
will never be a root level ASTNode. It will always be the child of some on
other Token. The problem is we will have to ensure that we call this for any
and all operations which could hide a function as one of it's children. I
thought about doing catching TOK_SELECT but I haven't confirmed that this won't
also be nested in the event of something like a CTAS.
Select max(a) from test;
TOK_QUERY
TOK_FROM
TOK_TABREF
TOK_TABNAME
test
TOK_INSERT
TOK_DESTINATION
TOK_DIR
TOK_TMP_FILE
TOK_SELECT
TOK_SELEXPR
TOK_FUNCTION
max
TOK_TABLE_OR_COL
a
Create table as select max(a) from test;
TOK_CREATETABLE
TOK_TABNAME
test3
TOK_LIKETABLE
TOK_QUERY
TOK_FROM
TOK_TABREF
TOK_TABNAME
test
TOK_INSERT
TOK_DESTINATION
TOK_DIR
TOK_TMP_FILE
TOK_SELECT
TOK_SELEXPR
TOK_FUNCTION
max
TOK_TABL
We would have to try and account for any possible operation in which a function
could be called.
- Ryan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40316/#review106704
-----------------------------------------------------------
On Nov. 14, 2015, 7:55 p.m., Ryan Pridgeon wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40316/
> -----------------------------------------------------------
>
> (Updated Nov. 14, 2015, 7:55 p.m.)
>
>
> Review request for sentry.
>
>
> Repository: sentry
>
>
> Description
> -------
>
> SENTRY-960: Bring whitelist validation back
>
>
> Diffs
> -----
>
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
> 18b8a8f
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestEndToEnd.java
> 23577c2
>
> Diff: https://reviews.apache.org/r/40316/diff/
>
>
> Testing
> -------
>
> Ran the code in a live cluster to confirm it works
>
> Added unit test.
>
>
> Thanks,
>
> Ryan Pridgeon
>
>
