[
https://issues.apache.org/jira/browse/HIVE-11988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15047157#comment-15047157
]
Alok Lal commented on HIVE-11988:
---------------------------------
While testing [the Ranger patch|https://reviews.apache.org/r/41067/] I
submitted to mimic these changes (RANGER-772), I see that the
{{checkPrivilages}} call for IMPORT when import would create a table does not
include the table name in it. [~madhan.neethiraj], one of the reviewers of
that patch observed that this could lead to following two potential usability
issues:
# In Ranger a user's access privileges can be specified using wildcards. Say, a
user in finance department has been given create privileges at the database
level for any table that starts with fin, i.e. {{fin*}}. If such a user
attempts to import a table named, say, {{fintemp}} then that operation would
fail since we currently require database level privilege.
# Ranger audits various user actions. Since table name isn't specified we can't
record which table was got created. In some cases this could be inferred from
the command string passed that is into the {{checkPrivilages}} (which we store
off in our audit). However, when {{IMPORT}} does not specify the table name
then in that case that information may not be readily available to user.
> [hive] security issue with hive & ranger for import table command
> -----------------------------------------------------------------
>
> Key: HIVE-11988
> URL: https://issues.apache.org/jira/browse/HIVE-11988
> Project: Hive
> Issue Type: Bug
> Components: Hive
> Affects Versions: 0.14.0, 1.2.1
> Reporter: Deepak Sharma
> Assignee: Sushanth Sowmyan
> Priority: Critical
> Fix For: 1.3.0, 2.0.0, 1.2.2
>
> Attachments: HIVE-11988.2.patch, HIVE-11988.3.patch,
> HIVE-11988.4.patch, HIVE-11988.5.patch, HIVE-11988.patch,
> authorization_uri_import_q_hive.log, authorization_uri_import_q_output.txt
>
>
> if a user does not have permission to create table in hive , then if the same
> user import data for a table using following command then , it will have to
> create table also and that is working successfully , ideally it should not
> work
> STR:
> ====
> 1. put some raw data in hdfs path /user/user1/tempdata
> 2. in ranger check policy , user1 should not have any permission on any table
> 3. login through user1 into beeline ( obviously it will fail since user
> doesnt have permission to create table)
> create table tt1(id INT,ff String);
> FAILED: HiveAccessControlException Permission denied: user user1 does not
> have CREATE privilege on default/tt1 (state=42000,code=40000)
> 4. now try following command to import data into a table ( table should not
> exist already)
> import table tt1 from '/user/user1/tempdata';
> ER:
> since user1 doesnt have permission to create table so this operation should
> fail
> AR:
> table is created successfully and data is also imported !!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
