[jira] [Updated] (SUBMARINE-562) Secure raw read and writes to hdfs

Sun, 15 Nov 2020 23:04:06 -0800 


     [ 
https://issues.apache.org/jira/browse/SUBMARINE-562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Zhankun Tang updated SUBMARINE-562:
-----------------------------------
    Fix Version/s:     (was: 0.4.0)

> Secure raw read and writes to hdfs
> ----------------------------------
>
>                 Key: SUBMARINE-562
>                 URL: https://issues.apache.org/jira/browse/SUBMARINE-562
>             Project: Apache Submarine
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Pedro Rossi
>            Priority: Minor
>
> I was testing the security plugin inside my company and I noticed that either 
> running a "select * from table" or reading directly the table path on hdfs 
> produces the same plan but in the raw path read it shows the path URI only 
> and this is not considered into the PrivilegesBuilder class, I designed an 
> internal patch for this module at my company to address this issue by adding 
> this to the buildQuery function
> {code:java}
> case l: LogicalRelation =>
> if (l.catalogTable.nonEmpty) {
>   mergeProjection(l.catalogTable.get)
> } else if (l.relation.isInstanceOf[HadoopFsRelation]) {
>   for (path <- l.relation.asInstanceOf[HadoopFsRelation].location.rootPaths)
>     privilegeObjects += new SparkPrivilegeObject(
>       SparkPrivilegeObjectType.DFS_URI, path.toString, path.toString)
> }
> {code}
> and this to the buildCommand function
> {code:java}
> case i: InsertIntoHadoopFsRelationCommand =>
> i.catalogTable foreach { t =>
>   addTableOrViewLevelObjs(
>     t.identifier,
>     outputObjs,
>     i.partitionColumns.map(_.name),
>     t.schema.fieldNames)
> }
> if (i.catalogTable.isEmpty) {
>   outputObjs += new SparkPrivilegeObject(
>     SparkPrivilegeObjectType.DFS_URI, i.outputPath.toString, 
> i.outputPath.toString)
> }
> {code}
> but I get this project proposes Hive authorization and not HDFS 
> authorization, but even so people in the Spark environment tend to write 
> temporary files without metastore tables also and this should pass through 
> authorization.
> I am creating this issue in order to ask the maintainers if this is relevant 
> and if this is in the same scope of the Security module in order for me to 
> provide a patch for this.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to