[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

Thejas M Nair (JIRA) Thu, 06 Oct 2016 09:57:49 -0700

    [ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15552496#comment-15552496
 ]


Thejas M Nair commented on HIVE-14099:
--------------------------------------

Adding a note that this does not affect SQL Standard or ranger authorization 
plugin. They both use a config whitelist, for set of configs that are allowed 
to be modified.

With SQL std auth or ranger you would get an error message like the following -
{code}
0: jdbc:hive2://localhost:10000/default> set 
hive.security.authorization.enabled=false;
Error: Error while processing statement: Cannot modify 
hive.security.authorization.enabled at runtime. It is not in list of params 
that are allowed to be modified at runtime (state=42000,code=1)
{code}

This issue would affect [legacy authorization 
mode|https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode],
 which is inherently unsecure. 

Also, trying to secure hive-cli this way is meaningless, you can specify any 
config options on commandline to override the settings, or point it to a 
different config directly, or even read directly from HDFS.



> Hive security authorization can be disabled by users
> ----------------------------------------------------
>
>                 Key: HIVE-14099
>                 URL: https://issues.apache.org/jira/browse/HIVE-14099
>             Project: Hive
>          Issue Type: Improvement
>          Components: Authorization
>    Affects Versions: 0.13.1
>            Reporter: Prashant Kumar Singh
>            Assignee: Aihua Xu
>             Fix For: 2.2.0
>
>         Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.
> Note that this issue does not affect SQL standard or ranger authorization 
> plugin.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

Reply via email to