[jira] [Updated] (HIVE-20644) Avoid exposing sensitive infomation through a Hive Runtime exception

Wed, 26 Sep 2018 22:54:48 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-20644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ashutosh Bapat updated HIVE-20644:
----------------------------------
    Summary: Avoid exposing sensitive infomation through a Hive Runtime 
exception  (was: Avoid exposing sensitive infomation through an error message)

> Avoid exposing sensitive infomation through a Hive Runtime exception
> --------------------------------------------------------------------
>
>                 Key: HIVE-20644
>                 URL: https://issues.apache.org/jira/browse/HIVE-20644
>             Project: Hive
>          Issue Type: Improvement
>          Components: HiveServer2
>            Reporter: Ashutosh Bapat
>            Assignee: Ashutosh Bapat
>            Priority: Minor
>
> The HiveException raised from the following methods is exposing the datarow 
> the caused the run time exception.
>  # ReduceRecordSource::GroupIterator::next() - around line 372
>  # MapOperator::process() - around line 567
>  # ExecReducer::reduce() - around line 243
> In all the cases, a string representation of the row is constructed on the 
> fly and is included in
> the error message.
> VectorMapOperator::process() - around line 973 raises the same exception but 
> it's not exposing the row since the row contents are not included in the 
> error message.
> While trying to reproduce above error, I also found that the arguments to a 
> UDF get exposed in log messages from FunctionRegistry::invoke() around line 
> 1114. This too can cause sensitive information to be leaked through error 
> message.
> This way some sensitive information is leaked to a user through exception 
> message. That information may not be available to the user otherwise. Hence 
> it's a kind of security breach or violation of access control.
> The contents of the row or the arguments to a function may be useful for 
> debugging and hence it's worth to add those to logs. Hence proposal here to 
> log a separate message with log level DEBUG or INFO containing the string 
> representation of the row. Users can configure their logging so that 
> DEBUG/INFO messages do not go to the client but at the same time are 
> available in the hive server logs for debugging. The actual exception message 
> will not contain any sensitive data like row data or argument data.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to