[
https://issues.apache.org/jira/browse/HIVE-23461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenchao Li updated HIVE-23461:
------------------------------
Component/s: Authorization
> Needs to capture input/output entities in explainRewrite
> --------------------------------------------------------
>
> Key: HIVE-23461
> URL: https://issues.apache.org/jira/browse/HIVE-23461
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Reporter: Wenchao Li
> Assignee: Wenchao Li
> Priority: Major
>
> HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic
> analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd
> authorizizer, the corresponding explain statement will be disallowed either.
> However, ExplainSQRewriteSemanticAnalyzer also uses an instance of
> DDLSemanticAnalyzer to analyze the explain rewrite query.
> {code:java}
> SemanticAnalyzer sem = (SemanticAnalyzer)
> SemanticAnalyzerFactory.get(queryState, input);
> sem.analyze(input, ctx);
> sem.validate();{code}
>
> The inputs/outputs entities for this query are never set on the instance of
> ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the
> HookContext in the calling Driver code. It is a similar issue to HIVE-18778.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
