[
https://issues.apache.org/jira/browse/HIVE-23461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Naresh P R updated HIVE-23461:
------------------------------
Attachment: HIVE-23461.3.patch
> Needs to capture input/output entities in explainRewrite
> --------------------------------------------------------
>
> Key: HIVE-23461
> URL: https://issues.apache.org/jira/browse/HIVE-23461
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Reporter: Wenchao Li
> Assignee: Naresh P R
> Priority: Major
> Attachments: HIVE-23461.1.patch, HIVE-23461.2.patch,
> HIVE-23461.3.patch, HIVE-23461.patch
>
>
> HIVE-18778(CVE-2018-1314) capture input/output entitles in explain semantic
> analyzer so when a query is disallowed by Ranger, Sentry or Sqlstd
> authorizizer, the corresponding explain statement will be disallowed either.
> However, ExplainSQRewriteSemanticAnalyzer also uses an instance of
> DDLSemanticAnalyzer to analyze the explain rewrite query.
> {code:java}
> SemanticAnalyzer sem = (SemanticAnalyzer)
> SemanticAnalyzerFactory.get(queryState, input);
> sem.analyze(input, ctx);
> sem.validate();{code}
>
> The inputs/outputs entities for this query are never set on the instance of
> ExplainSQRewriteSemanticAnalyzer itself and thus is not propagated into the
> HookContext in the calling Driver code. It is a similar issue to HIVE-18778.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
