[jira] [Updated] (HIVE-23461) Needs to capture input/output entities in explainRewrite

Wed, 13 May 2020 06:18:19 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-23461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wenchao Li updated HIVE-23461:
------------------------------
    Description: 
HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic 
analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd 
authorizizer, the corresponding explain statement will be disallowed either.

However, ExplainSQRewriteSemanticAnalyzer also uses an instance of 
DDLSemanticAnalyzer to analyze the explain rewrite query.
{code:java}
SemanticAnalyzer sem = (SemanticAnalyzer)
 SemanticAnalyzerFactory.get(queryState, input);
sem.analyze(input, ctx);
sem.validate();{code}
 

The inputs/outputs entities for this query are never set on the instance of 
ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the 
HookContext in the calling Driver code. It is a similar issue to HIVE-18778.

  was:
HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic 
analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd 
authorizizer, the corresponding explain statement will be disallowed either.

However, ExplainSQRewriteSemanticAnalyzer also uses an instance of 
DDLSemanticAnalyzer to analyze the explain rewrite query.

 
{code:java}
SemanticAnalyzer sem = (SemanticAnalyzer)
 SemanticAnalyzerFactory.get(queryState, input);
sem.analyze(input, ctx);
sem.validate();

The inputs/outputs entities for this query are never set on the instance of 
ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the 
HookContext in the calling Driver code. It is a similar issue to 
HIVE-18778.{code}
 


> Needs to capture input/output entities in explainRewrite
> --------------------------------------------------------
>
>                 Key: HIVE-23461
>                 URL: https://issues.apache.org/jira/browse/HIVE-23461
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Wenchao Li
>            Priority: Major
>
> HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic 
> analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd 
> authorizizer, the corresponding explain statement will be disallowed either.
> However, ExplainSQRewriteSemanticAnalyzer also uses an instance of 
> DDLSemanticAnalyzer to analyze the explain rewrite query.
> {code:java}
> SemanticAnalyzer sem = (SemanticAnalyzer)
>  SemanticAnalyzerFactory.get(queryState, input);
> sem.analyze(input, ctx);
> sem.validate();{code}
>  
> The inputs/outputs entities for this query are never set on the instance of 
> ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the 
> HookContext in the calling Driver code. It is a similar issue to HIVE-18778.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to