[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query

Thu, 30 Apr 2020 05:29:18 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17096477#comment-17096477
 ] 

Riju Trivedi commented on HIVE-23339:
-------------------------------------

During doAuthorization() call for CreateDatabase operation , authorize is 
invoked only with read and write Privileges for the operation.
{code:java}
public void authorize(Privilege[] readRequiredPriv, Privilege[] 
writeRequiredPriv)
    throws HiveException, AuthorizationException {
{code}
In StorageBasedAuth, we only call checkPermissions() for root warehouse dir 
(hive.metastore.warehouse.dir) and not the specified location. So, any user who 
does not have access to directory will be able to create database if they have 
access to warehouse path.
{code:java}
Path root = null;
try {
  initWh();
  root = wh.getWhRoot();
  authorize(root, readRequiredPriv, writeRequiredPriv);{code}

> SBA does not check permissions for DB location specified in Create database 
> query
> ---------------------------------------------------------------------------------
>
>                 Key: HIVE-23339
>                 URL: https://issues.apache.org/jira/browse/HIVE-23339
>             Project: Hive
>          Issue Type: Bug
>          Components: Hive
>    Affects Versions: 3.1.0
>            Reporter: Riju Trivedi
>            Assignee: Shubham Chaurasia
>            Priority: Critical
>
> With doAs=true and StorageBasedAuthorization provider, create database with 
> specific location succeeds even if user doesn't have access to that path.
>  
> {code:java}
>   hadoop fs -ls -d /tmp/cannot_write
>  drwx------ - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write
> create a database under /tmp/cannot_write. We would expect it to fail, but is 
> actually created successfully with "hive" as the owner:
> rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location 
> '/tmp/cannot_write/rtrivedi_1'"
>  INFO : OK
>  No rows affected (0.116 seconds)
> hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write
>  Found 1 items
>  drwx------ - hive hadoop 0 2020-04-01 23:05 /tmp/cannot_write/rtrivedi_1
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to