[jira] [Created] (HIVE-27116) HS2 need to send owner info in the HivePrivilegeObject for authorization

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-27116:


 Summary: HS2 need to send owner info in the HivePrivilegeObject 
for authorization
 Key: HIVE-27116
 URL: https://issues.apache.org/jira/browse/HIVE-27116
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2, Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


UDFs (Functions) of HivePrivilegeObject should send owner info for 
authorization.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-27071) Select query with LIMIT clause can fail if their are marker files like "_SUCCESS" and "_MANIFEST"

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-27071:


 Summary: Select query with LIMIT clause can fail if their are 
marker files like "_SUCCESS" and "_MANIFEST"
 Key: HIVE-27071
 URL: https://issues.apache.org/jira/browse/HIVE-27071
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: László Bodor


Spark clients creates marker files like "_SUCCESS" and "_MANIFEST" under the 
table/partition path at the end of a write operation. For example 
'hdfs://name-node-host/table/partition/_SUCCESS'
Whenever Hive is trying to read that table with the LIMIT clause, it could to 
the following error:
{code:java}
ERROR : Vertex failed, vertexName=Map 1, 
vertexId=vertex_1676095298574_0017_2_00, diagnostics=[Vertex 
vertex_1676095298574_0017_2_00 [Map 1] killed/failed due 
to:ROOT_INPUT_INIT_FAILURE, Vertex Input: trade initializer failed, 
vertex=vertex_1676095298574_0017_2_00 [Map 1], 
org.apache.hadoop.mapred.InvalidInputException: Input path does not exist: 
hdfs://name-node-host/table/partition/_MANIFEST
Input path does not exist: hdfs://name-node-host/table/partition/_SUCCESS at 
org.apache.hadoop.mapred.FileInputFormat.singleThreadedListStatus(FileInputFormat.java:300)
at org.apache.hadoop.mapred.FileInputFormat.listStatus(FileInputFormat.java:240)
at org.apache.hadoop.mapred.FileInputFormat.getSplits(FileInputFormat.java:328)
at 
org.apache.hadoop.hive.ql.io.HiveInputFormat.addSplitsForGroup(HiveInputFormat.java:579)
 {code}
Hive execution engine should ignore these marker files while reading the 
table/partition data.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26911) Renaming a translated external table with a specified location fails with 'location already exists' exception

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26911:


 Summary: Renaming a translated external table with a specified 
location fails with 'location already exists' exception
 Key: HIVE-26911
 URL: https://issues.apache.org/jira/browse/HIVE-26911
 Project: Hive
  Issue Type: Bug
  Components: Standalone Metastore
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Renaming a translated external table with a specified location fails with 
'location already exists' exception.
Below are steps for repro
{code:java}
create database tmp;
use tmp;
create table b(s string) stored as parquet location 
'hdfs://localhost:20500/test-warehouse/tmp.db/some_location';
alter table b rename to bb;
ERROR: InvalidOperationException: New location for this table hive.tmp.bb 
already exists : hdfs://localhost:20500/test-warehouse/tmp.db/some_location 
{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26850) ColumnInfo of the source table should not be null for the alter view as query

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26850:


 Summary: ColumnInfo of the source table should not be null for the 
alter view as query
 Key: HIVE-26850
 URL: https://issues.apache.org/jira/browse/HIVE-26850
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


The ColumnInfo for the source table of the alter view as query is coming as 
null and as a result, the column info is not present for the table. The 
ColumnInfo should be non-null.

More details are to be followed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26838) Add a new event to improve cache performance in external systems that communicates with HMS.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26838:


 Summary: Add a new event to improve cache performance in external 
systems that communicates with HMS.
 Key: HIVE-26838
 URL: https://issues.apache.org/jira/browse/HIVE-26838
 Project: Hive
  Issue Type: New Feature
  Components: Hive, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Adding support for a new event "Reload event" in the HMS (HiveMetaStore). This 
event can be used by external services that depend on HMS for metadata 
operations to improve its cache performance. In the distributed environment 
where there are replicas of an external service (with its own cache in each of 
these replicas) talking to HMS for metadata operations, the reload event can be 
used to address the cache performance and ensure consistency among all the 
replicas for a given table/partition.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26799) Make authorizations on custom UDFs involved in tables/view configurable.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26799:


 Summary: Make authorizations on custom UDFs involved in 
tables/view configurable.
 Key: HIVE-26799
 URL: https://issues.apache.org/jira/browse/HIVE-26799
 Project: Hive
  Issue Type: New Feature
  Components: HiveServer2, Security
Affects Versions: 4.0.0-alpha-2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


When Hive is using Ranger/Sentry as an authorization service, consider the 
following scenario.

 
{code:java}
> create table test_udf(st string);   // privileged user operation 
> create function Udf_UPPER as 'openkb.hive.udf.MyUpper' using jar 
> 'hdfs:///tmp/MyUpperUDF-1.0.0.jar'; // privileged user operation
> create view v1_udf as select udf_upper(st) from test_udf; // privileged user 
> operation
//unprivileged user test_user is given select permissions on view v1_udf
> select * from v1_udf;  {code}
It is expected that test_user needs to have select privilege on v1_udf and 
select permissions on udf_upper custom UDF in order to do a select query on 
view. 

 

 

This patch introduces a configuration 
"hive.security.authorization.functions.in.view"=false which disables 
authorization on views associated with views/tables during the select query. In 
this mode, only UDFs explicitly stated in the query would still be authorized 
as it is currently.

The reason for making these custom UDFs associated with view/tables 
authorizable is that currently, test_user will need to be granted select 
permissions on the custom udf. and the test_user can use this UDF and query 
against any other table, which is a security concern.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26647) Implement deserialization API for commit compaction event

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26647:


 Summary: Implement deserialization API for commit compaction event
 Key: HIVE-26647
 URL: https://issues.apache.org/jira/browse/HIVE-26647
 Project: Hive
  Issue Type: Improvement
  Components: Hive, Serializers/Deserializers
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


[HIVE-24329|https://issues.apache.org/jira/browse/HIVE-24329] introduced 
notification event for commit compaction (which is serializing an event and 
inserting it into the notification log). We also need to implement 
Deserialization API for the commit compaction event so external listeners can 
read this event. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26610) Upgrade calcite-core to 1.32.0 to avoid CVE-2022-39135

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26610:


 Summary: Upgrade calcite-core to 1.32.0 to avoid CVE-2022-39135
 Key: HIVE-26610
 URL: https://issues.apache.org/jira/browse/HIVE-26610
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26537) Deprecate older APIs in the HMS

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26537:


 Summary: Deprecate older APIs in the HMS
 Key: HIVE-26537
 URL: https://issues.apache.org/jira/browse/HIVE-26537
 Project: Hive
  Issue Type: Improvement
Affects Versions: 4.0.0-alpha-1, 4.0.0-alpha-2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


This Jira is to track the clean-up(deprecate older APIs and point the HMS 
client to the newer APIs) work in the hive metastore server.

More details will be added here soon.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26508) Remove netty transitive dependencies from hcatalog and hbase pom files to avoid CVEs

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26508:


 Summary: Remove netty transitive dependencies from hcatalog and 
hbase pom files to avoid CVEs
 Key: HIVE-26508
 URL: https://issues.apache.org/jira/browse/HIVE-26508
 Project: Hive
  Issue Type: Bug
  Components: HBase Handler, HCatalog
Affects Versions: 4.0.0-alpha-1, 4.0.0, 4.0.0-alpha-2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Remove netty transitive dependencies (coming from hadoop related dependencies) 
from hcatalog and hbase pom files to avoid CVEs



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26457) Upgrade package jetty to version 9.4.39+ to avoid CVE-2021-28165, CVE-2020-27216

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26457:


 Summary: Upgrade package jetty to version 9.4.39+ to avoid 
CVE-2021-28165, CVE-2020-27216
 Key: HIVE-26457
 URL: https://issues.apache.org/jira/browse/HIVE-26457
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26422) Create table via spark-shell vs HS2 has discrepancy in authorization config policy

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26422:


 Summary: Create table via spark-shell vs HS2 has discrepancy in 
authorization config policy  
 Key: HIVE-26422
 URL: https://issues.apache.org/jira/browse/HIVE-26422
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2, Standalone Metastore
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Create table via spark-shell creates 4 privileges "INSERT,SELECT,UPDATE,DELETE" 
via table owner grants config whereas when we create an external table through 
hiveserver2 (using client like beeline) it doesn't create any owner privileges 
which is the desired condition.

Note: In Hive's hive-site.xml, the following is set:
hive.security.authorization.createtable.user.grants=''
hive.security.authorization.createtable.group.grants=''
hive.security.authorization.createtable.role.grants=''
hive.security.authorization.createtable.owner.grants='' 
Also the setup is kerberized and uses ranger as an authorization service.

So, when we create a table via spark-shell we shouldn't set 
hive.security.authorization.createtable.owner.grants in the code 
[https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L625]
 instead it should be picked using hive-site.xml. (which is already done in 
CreateTableAutomaticGrants class).

The side effect of having table owner privileges set in the code, is that the 
TBL_PRIVS table in RDBMS is growing with every create table command.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HIVE-26305) Upgrade package hadoop-common to version 3.1.4+ to avoid CVE-2020-9492

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26305:


 Summary: Upgrade package hadoop-common to version 3.1.4+ to avoid 
CVE-2020-9492
 Key: HIVE-26305
 URL: https://issues.apache.org/jira/browse/HIVE-26305
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2, Security, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Upgrade package hadoop-common to version 3.1.4+ to avoid CVE-2020-9492



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Created] (HIVE-26304) Upgrade package pac4j-core to version 5.2.0 or above due to CVE-2021-44878

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26304:


 Summary: Upgrade package pac4j-core to version 5.2.0 or above due 
to CVE-2021-44878
 Key: HIVE-26304
 URL: https://issues.apache.org/jira/browse/HIVE-26304
 Project: Hive
  Issue Type: Bug
  Components: Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Upgrade package pac4j-core to version 5.2.0 or above due to CVE-2021-44878



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Created] (HIVE-26300) Upgrade Jackson databind version to 2.12.6.1+ to avoid CVE-2020-36518

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26300:


 Summary: Upgrade Jackson databind version to 2.12.6.1+ to avoid 
CVE-2020-36518
 Key: HIVE-26300
 URL: https://issues.apache.org/jira/browse/HIVE-26300
 Project: Hive
  Issue Type: Bug
  Components: Hive
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Upgrade Jackson databind version to 2.12.6.1+ to avoid *CVE-2020-36518*



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Created] (HIVE-26178) Multiple version of woodstox jars found in spark class path

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26178:


 Summary: Multiple version of woodstox jars found in spark class 
path 
 Key: HIVE-26178
 URL: https://issues.apache.org/jira/browse/HIVE-26178
 Project: Hive
  Issue Type: Bug
  Components: Hive, Spark
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


In Spark the woodstox-core jar is coming from two sources:
 - hadoop-client (woodstox-core:jar:5.0.3)
 - hive-service (woodstox-core:jar:5.2.1) introduced via xml sec dependency.

Woodstox jar is anyway not used in the hive. So we can remove this dependency 
in the hive.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Created] (HIVE-26055) Fix the HivePrivilegesObjects for Alter table rename command

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-26055:


 Summary: Fix the HivePrivilegesObjects for Alter table rename 
command
 Key: HIVE-26055
 URL: https://issues.apache.org/jira/browse/HIVE-26055
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2, Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Fix the HivePrivilegeObjects for Alter table rename query in a way that it 
includes source table information in the output objects and destination table 
information in the input objects.

 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25988) CreateTableEvent should have database object as one of the hive privilege object.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25988:


 Summary: CreateTableEvent should have database object as one of 
the hive privilege object.
 Key: HIVE-25988
 URL: https://issues.apache.org/jira/browse/HIVE-25988
 Project: Hive
  Issue Type: Bug
  Components: Hive, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


The CreateTableEvent in HMS should have a database object as one of the 
HivePrivilege Objects so that it is consistent with HS2's CreateTable Event.
Also, we need to move the DFS_URI object into the InputList so that this is 
also consistent with HS2's behavior.

Having database objects in the create table events hive privilege objects helps 
to determine if a user has the right permissions to create a table in a 
particular database via ranger/sentry.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25826) Support table defaults at each database level

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25826:


 Summary: Support table defaults at each database level
 Key: HIVE-25826
 URL: https://issues.apache.org/jira/browse/HIVE-25826
 Project: Hive
  Issue Type: New Feature
  Components: HiveServer2, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


This feature jira is for adding support for users being able to specify default 
table types at each database level. Currently, this is configurable at the 
service level (HS2) and at each JDBC session-level. The goal is to be able to 
specify the default table type for each database either when the DB is created 
(create DB DDL) or at any point later (via alter db DDL).

More details and design docs for this feature will be added soon to this Jira.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25813) CREATE TABLE x LIKE storagehandler-based-source fails

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25813:


 Summary: CREATE TABLE x LIKE storagehandler-based-source fails 
 Key: HIVE-25813
 URL: https://issues.apache.org/jira/browse/HIVE-25813
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


{code:java}
CREATE EXTERNAL TABLE default.dbs (
  DB_IDbigint,
  DB_LOCATION_URI  string,
  NAME string,
  OWNER_NAME   string,
  OWNER_TYPE   string )
STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
TBLPROPERTIES (
  'hive.sql.database.type' = 'MYSQL',
  'hive.sql.jdbc.driver'   = 'com.mysql.jdbc.Driver',
  'hive.sql.jdbc.url'  = 'jdbc:mysql://localhost:3306/hive1',
  'hive.sql.dbcp.username' = 'hive1',
  'hive.sql.dbcp.password' = 'cloudera',
  'hive.sql.query' = 'SELECT DB_ID, DB_LOCATION_URI, NAME, OWNER_NAME, 
OWNER_TYPE FROM DBS'
);

CREATE TABLE default.dbscopy LIKE default.dbs;

Caused by: java.lang.NullPointerException
at 
org.apache.hadoop.hive.metastore.HiveMetaStoreUtils.getFieldsFromDeserializer(HiveMetaStoreUtils.java:186)
 {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25809) Implement URI Mapping for KuduStorageHandler in Hive

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25809:


 Summary: Implement URI Mapping for KuduStorageHandler in Hive 
 Key: HIVE-25809
 URL: https://issues.apache.org/jira/browse/HIVE-25809
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2, Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Currently, there is no storage URI mapping for KuduStorageHandler based on the 
feature HIVE-24705. The API getURIForAuth() needs to be implemented in 
KuduStorageHandler.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25786) Auto-close browser window/tab after successful auth with SSO(SAML) authentication

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25786:


 Summary: Auto-close browser window/tab after successful auth with 
SSO(SAML) authentication
 Key: HIVE-25786
 URL: https://issues.apache.org/jira/browse/HIVE-25786
 Project: Hive
  Issue Type: Bug
  Components: Authentication, HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


When a client(beeline/DBeaver) tries to connect to HS2. Each connection opens a 
new tab which is a bit of an annoying user experience. This task is to 
Auto-close the window on a successful auth after a timed interval (5 sec). On 
an unsuccessful auth, the browser window would not be auto-closed.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25785) Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25785:


 Summary: Upgrade xmlsec to 2.1.7/2.2.3 due to CVE-2021-40690
 Key: HIVE-25785
 URL: https://issues.apache.org/jira/browse/HIVE-25785
 Project: Hive
  Issue Type: Bug
  Components: Hive, Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Hive is currently pulling in xmlsec 2.2.1. This needs to be upgraded to 2.2.3+ 
due to CVE-2021-40690.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25724) Support External only tables for particular databases.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25724:


 Summary: Support External only tables for particular databases.
 Key: HIVE-25724
 URL: https://issues.apache.org/jira/browse/HIVE-25724
 Project: Hive
  Issue Type: Improvement
  Components: HiveServer2, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Goal:
To be able to support disabling of ACID tables for a particular database.

Why?:
There is a use case to support BDR and hive3 replication engines in parallel. 
This can be used to avoid the creation of ACID tables in DBs replicated by the 
BDR engine. (BDR does not have the ability to replicate ACID tables)
Some users might want to use this as well for their legacy DBs while they 
transition to ACID tables in some newer DBs.

How?
A "special" property to be set on the database. If this property is set, HMS 
will prevent the creation of ACID tables in this database.

Note:
 # Hive/HMS to implement the enforcement of this property in preventing table 
creation.
 # Hive/HMS will not prevent end-users from setting/tampering with this 
property.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25709) Upgrade netty to 4.1.68+ due to CVE-2021-37136, CVE-2021-37137

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25709:


 Summary: Upgrade netty to 4.1.68+ due to CVE-2021-37136, 
CVE-2021-37137
 Key: HIVE-25709
 URL: https://issues.apache.org/jira/browse/HIVE-25709
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2, Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Upgrade netty to 4.1.68+ due to CVE-2021-37136, CVE-2021-37137



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25695) Make spark views authorization in hive configurable.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25695:


 Summary: Make spark views authorization in hive configurable.
 Key: HIVE-25695
 URL: https://issues.apache.org/jira/browse/HIVE-25695
 Project: Hive
  Issue Type: Improvement
  Components: HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


HIVE-24026 introduced an authorization model where views created from external 
sources like spark are not authorized at create time, but when a user does 
select on the view. We need to make this authorization configurable. 

This Jira introduces a new config to make this auth model configurable.

 
{code:java}
hive.security.authorization.enabled.on.spark.views=true {code}
This config is turned on by default. If the users wish to turn off this config, 
then they can set this config to false, which means that during the select 
query, the underlying tables for that view will not be authorized.

 

The reason for making this auth model configurable is because there can be a 
use-case where a user is running workload of create/alter/select views without 
HIVE-24026 (with ranger/sentry policies in place where user have select 
permissions only on view but not on underlying tables) and when user upgrades 
to HIVE-24026, the admin will have to configure ranger/sentry policies on all 
the underlying tables for required users. By simply turning off this config, 
the user can do workload operations but at the cost of the security hole for 
not authorizing the underlying tables.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HIVE-25621) Alter table partition compact/concatenate commands should send HivePrivilegeObjects for Authz

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25621:


 Summary: Alter table partition compact/concatenate commands should 
send HivePrivilegeObjects for Authz
 Key: HIVE-25621
 URL: https://issues.apache.org/jira/browse/HIVE-25621
 Project: Hive
  Issue Type: Bug
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


# Run the following queries 
Create table temp(c0 int) partitioned by (c1 int);
Insert into temp values(1,1);
ALTER TABLE temp PARTITION (c1=1) COMPACT 'minor';
ALTER TABLE temp PARTITION (c1=1) CONCATENATE;
Insert into temp values(1,1);
 # The above compact/concatenate commands are currently not sending any hive 
privilege objects for authorization. Hive needs to send these objects to avoid 
malicious users doing any operation.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25570) Hive should send full URL path for authorization for the command insert overwrite location

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25570:


 Summary: Hive should send full URL path for authorization for the 
command insert overwrite location
 Key: HIVE-25570
 URL: https://issues.apache.org/jira/browse/HIVE-25570
 Project: Hive
  Issue Type: Bug
  Components: Authorization, HiveServer2
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


For authorization, Hive is currently sending the path given as input from the 
user for the command, for eg
{code:java}
insert overwrite directory 
'/user/warehouse/tablespace/external/something/new/test_new_tb1' select * from 
test_tb1;
{code}
Hive is sending the path as 
'/user/warehouse/tablespace/external/something/new/test_new_tb1' 
Instead, Hive should send a fully qualified path for authorization,  for e.g: 
'hdfs://hostname:port_name/user/warehouse/tablespace/external/something/new/test_new_tb1'



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25547) Alter view as Select statement should create Authorizable events in HiveServer2

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25547:


 Summary: Alter view as Select statement should create Authorizable 
events in HiveServer2
 Key: HIVE-25547
 URL: https://issues.apache.org/jira/browse/HIVE-25547
 Project: Hive
  Issue Type: Bug
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Consider the scenario:
{code:java}
-- A privileged user is doing the following actions.
Create table foo_tbl(i int);
Create table foo_bar(name string);
Create view foo_view as select * from foo_tbl;

-- An unprivileged user can do the following operation, when he/she has select 
privileges on foo_bar table but he/she doesn't have any privileges on foo_tbl 
or foo_view.
alter view foo_view as select * from foo_bar;{code}
An unauthorized user shouldn't be able to alter the view schema when he/she 
doesn't have any privileges on that view.

 

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25545) Add/Drop constraints events on table should be authorized in HS2

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25545:


 Summary: Add/Drop constraints events on table should be authorized 
in HS2
 Key: HIVE-25545
 URL: https://issues.apache.org/jira/browse/HIVE-25545
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Alter table foo_tbl ADD constraint c1_unique UNIQUE(id1) disable novalidate;
Alter table foo_tbl DROP constraint c1_unique;

The above statements are currently not being authorized in Ranger/Sentry. These 
should be authorized by creating authorizable events in Hive.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25514) Alter table with owner policies should honor {OWNER} policies from Apache Ranger in the HMS

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25514:


 Summary: Alter table with owner policies should honor {OWNER} 
policies from Apache Ranger in the HMS
 Key: HIVE-25514
 URL: https://issues.apache.org/jira/browse/HIVE-25514
 Project: Hive
  Issue Type: Bug
  Components: Hive, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


The following commands should honor \{OWNER} policies from Apache Ranger in the 
HMS.
{code:java}
Show partitions table_name;

alter table foo.table_name partition (country='us') rename to partition 
(country='canada);

alter table foo.table_name drop partition (id='canada');{code}
The examples above are tables with partitions. So the partition APIs in HMS 
should be modifed to honor \{owner} policies from Apache ranger. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25490) Table object should be authorized with owner info in the get_partitions() api in

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25490:


 Summary: Table object should be authorized with owner info in the 
get_partitions() api in 
 Key: HIVE-25490
 URL: https://issues.apache.org/jira/browse/HIVE-25490
 Project: Hive
  Issue Type: Bug
  Components: Hive, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


HiveMetaStore#get_partitions() api is currently authorizing against table name. 
Instead, the table object should be authorized so that it also has table_owner 
information in the table object.

Currently, a user from spark-shell running these commands (in a rangerized 
environment): 

> spark.sql( " create database 791237_db1 " ).show(false)

> spark.sql( " CREATE EXTERNAL TABLE IF NOT EXISTS 791237_db1.t1(cal_dt 
>timestamp) PARTITIONED BY (year string) stored as parquet location 
>'/791237/791237_db1' " ).show(false)

> spark.sql( " select * from 791237_db1.t1 " ).show(false)

ERROR metadata.Hive: NoSuchObjectException(message:Table t1 does not exist)

Even though the user is the owner of the table, but the same user cannot query 
the table. This should be addressed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25468) Create/Drop functions should be authorized in HMS

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25468:


 Summary: Create/Drop functions should be authorized in HMS
 Key: HIVE-25468
 URL: https://issues.apache.org/jira/browse/HIVE-25468
 Project: Hive
  Issue Type: Bug
  Components: Hive
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Create function func_name using class 'org.someclass' using jar '/path_to_jar';

Drop function func_name;

These commands are currently authorized in HS2 but not in HiveMetastore. These 
commands should be authorized for HMS clients for (eg:spark-shell) on the 
end-user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25444) Use a config to disable authorization on storage handlers by default.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25444:


 Summary: Use a config to disable authorization on storage handlers 
by default.
 Key: HIVE-25444
 URL: https://issues.apache.org/jira/browse/HIVE-25444
 Project: Hive
  Issue Type: Improvement
  Components: HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Using a config "hive.security.authorization.tables.on.storagehandlers" with a 
default false, we'll enable the authorization on storage handlers by default. 
Authorization is enabled if this config is set to true. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25408) AlterTableSetOwnerAnalyzer should send Hive Privilege Objects for Authorization.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25408:


 Summary: AlterTableSetOwnerAnalyzer should send Hive Privilege 
Objects for Authorization. 
 Key: HIVE-25408
 URL: https://issues.apache.org/jira/browse/HIVE-25408
 Project: Hive
  Issue Type: Bug
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Currently, Hive is sending an empty list in the Hive Privilege Objects for 
authorization when a user does the following operation: alter table foo set 
owner user user_name;
We should be sending the input/objects related to the table in Hive privilege 
objects for authorization.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25380) Remove the Hive Privilege Object for Database in the ReadTableEvent and CreatTableEvent.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25380:


 Summary: Remove the Hive Privilege Object for Database in the 
ReadTableEvent and CreatTableEvent.
 Key: HIVE-25380
 URL: https://issues.apache.org/jira/browse/HIVE-25380
 Project: Hive
  Issue Type: Bug
  Components: Hive, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Hive server2 sends privilege objects of only tables whenever select/create 
table command is issued. This should be consistent in HMS also, i.e.., 
HiveMetaStoreAuthorizer should send only table related HivePrivilege Objects 
for authorization.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25349) Skip password authentication when a trusted header is present in the Http request

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25349:


 Summary: Skip password authentication when a trusted header is 
present in the Http request
 Key: HIVE-25349
 URL: https://issues.apache.org/jira/browse/HIVE-25349
 Project: Hive
  Issue Type: Improvement
  Components: Hive, HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Whenever a trusted header is present in the HTTP servlet request, skip the 
password based authentication, since the user is pre-authorized and extract the 
user name from Authorization header.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25303) CTAS hive.create.as.external.legacy tries to place data files in managed WH path

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25303:


 Summary: CTAS hive.create.as.external.legacy tries to place data 
files in managed WH path
 Key: HIVE-25303
 URL: https://issues.apache.org/jira/browse/HIVE-25303
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2, Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Under legacy table creation mode (hive.create.as.external.legacy=true), when a 
database has been created in a specific LOCATION, in a session where that 
database is USEd, tables created using

CREATE TABLE  AS SELECT 

should inherit the HDFS path from the database's location.

Instead, Hive is trying to write the table data into 
/warehouse/tablespace/managed/hive//



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25132) ReadDatabase event should return HiveOperationType as ShowDatabases

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25132:


 Summary: ReadDatabase event should return HiveOperationType as 
ShowDatabases
 Key: HIVE-25132
 URL: https://issues.apache.org/jira/browse/HIVE-25132
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Currently ReadDatabaseEvent should return a HivePrivilegeObject with 
HiveOperationType as ShowDatabases instead of Query. This is useful if we have 
a default policy in ranger that grants access to all databases



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25131) PreAlterPartitionEvent should have table owner details that can authorized in ranger/sentry

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25131:


 Summary: PreAlterPartitionEvent should have table owner details 
that can authorized in ranger/sentry 
 Key: HIVE-25131
 URL: https://issues.apache.org/jira/browse/HIVE-25131
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


PreAlterPartition event should have a table object, so that the call can be 
authorized in ranger/sentry using the owner details of the table object.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25114) Optmize get_tables() api call in HMS

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25114:


 Summary: Optmize get_tables() api call in HMS
 Key: HIVE-25114
 URL: https://issues.apache.org/jira/browse/HIVE-25114
 Project: Hive
  Issue Type: Improvement
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Optmize get_tables() call in HMS api. There should only be one call to object 
store instead of 2 calls to return the table objects.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25091) Implement connector provider for MSSQL and Oracle

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25091:


 Summary: Implement connector provider for MSSQL and Oracle
 Key: HIVE-25091
 URL: https://issues.apache.org/jira/browse/HIVE-25091
 Project: Hive
  Issue Type: Sub-task
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Provide an implementation of Connector provider for MSSQL and Oracle



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-25039) Disable discovery.partitions config for external tables by default

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-25039:


 Summary: Disable discovery.partitions config for external tables 
by default
 Key: HIVE-25039
 URL: https://issues.apache.org/jira/browse/HIVE-25039
 Project: Hive
  Issue Type: Improvement
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


We need to disable the discovery.partitions config for the external tables with 
partitions by default because every HMS API call to the external partition (for 
example S3) is costly. We can selectively enable this config for tables by: 
alter table set tblproperty.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24876) Disable /longconf.jsp page on HS2 web UI for non admin users

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24876:


 Summary: Disable /longconf.jsp page on HS2 web UI for non admin 
users
 Key: HIVE-24876
 URL: https://issues.apache.org/jira/browse/HIVE-24876
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


/logconf.jsp page should be disabled to the users that are not in admin roles. 
Otherwise, any user can flood the log files with different log levels that can 
be configured on HS2 web UI.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24816:


 Summary: Upgrade jackson to 2.10.5.1 or 2.11.0+ due to 
CVE-2020-25649
 Key: HIVE-24816
 URL: https://issues.apache.org/jira/browse/HIVE-24816
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Currently, hive is pulling Jackson 2.10.5 version jar. Please upgrade to 
2.10.5.1 or 2.11.0+ due to CVE-2020-25649.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24769) HiveMetaStore getTables() doesn't have Owner information to filter on it

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24769:


 Summary: HiveMetaStore getTables() doesn't have Owner information 
to filter on it
 Key: HIVE-24769
 URL: https://issues.apache.org/jira/browse/HIVE-24769
 Project: Hive
  Issue Type: Improvement
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


HiveMetaStoreClient#getTables() api should have table owner information so that 
they can be used while authorizing in Apache Ranger/Sentry.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24768) Use jackson-bom everywhere for version replacement

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24768:


 Summary: Use jackson-bom everywhere for version replacement
 Key: HIVE-24768
 URL: https://issues.apache.org/jira/browse/HIVE-24768
 Project: Hive
  Issue Type: Improvement
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


It's more of an optimization but makes it easier to replace the versions where 
ever necessary for Jackson dependency.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24705) Create/Alter/Drop tables based on storage handlers in HS2 should be authorized by Ranger/Sentry

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24705:


 Summary: Create/Alter/Drop tables based on storage handlers in HS2 
should be authorized by Ranger/Sentry
 Key: HIVE-24705
 URL: https://issues.apache.org/jira/browse/HIVE-24705
 Project: Hive
  Issue Type: Improvement
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala






--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24603) ALTER TABLE RENAME is not modifying the location of managed table

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24603:


 Summary: ALTER TABLE RENAME is not modifying the location of 
managed table
 Key: HIVE-24603
 URL: https://issues.apache.org/jira/browse/HIVE-24603
 Project: Hive
  Issue Type: Bug
  Components: Standalone Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


The location of the managed table is not changing when the table is renamed.

This causes correctness issues as well like the following -

create table abc (id int);
insert into abc values (1);
rename table abc to def;
create table abc (id int); // This should be empty
insert into abc values (2);
select * from abc ; // now returns the 1 and 2, (ie the old results as well)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24500) Hive - upgrade log4j 2.12.1 to 2.13.2+ due to CVE-2020-9488

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24500:


 Summary: Hive - upgrade log4j 2.12.1 to 2.13.2+ due to 
CVE-2020-9488
 Key: HIVE-24500
 URL: https://issues.apache.org/jira/browse/HIVE-24500
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Hive is pulling in log4j 2.12.1 specifically to:
 * ./usr/lib/hive/lib/log4j-core-2.12.1.jar

CVE-2020-9488 affects this version and the fix is to upgrade to 2.13.2+. So, 
upgrade this dependency.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24499) Throw error when respective connector JDBC jar is not present in the lib/ path.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24499:


 Summary: Throw error when respective connector JDBC jar is not 
present in the lib/ path.
 Key: HIVE-24499
 URL: https://issues.apache.org/jira/browse/HIVE-24499
 Project: Hive
  Issue Type: Sub-task
  Components: HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala






--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24456) Column masking/hashing function in hive should use SH512 if FIPS mode is enabled

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24456:


 Summary: Column masking/hashing function in hive should use SH512 
if FIPS mode is enabled
 Key: HIVE-24456
 URL: https://issues.apache.org/jira/browse/HIVE-24456
 Project: Hive
  Issue Type: Wish
  Components: HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


hive-site.xml should have the following property to indicate that FIPS mode is 
enabled.



    hive.masking.algo

     sha256



If this property is present, then GenericUDFMaskHash should use SHA512 instead 
of SHA256 encoding for column masking.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24303:


 Summary: Upgrade spring framework to 4.3.29.RELEASE+ due to 
CVE-2020-5421
 Key: HIVE-24303
 URL: https://issues.apache.org/jira/browse/HIVE-24303
 Project: Hive
  Issue Type: Bug
  Components: Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Hive is pulling in 4.3.18.RELEASE which is vulnerable to CVE-2020-5421. Please 
upgrade to 4.3.29.RELEASE+



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24287) Cookie Signer class should use SHA-512 instead SHA-256 for cookie signature

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24287:


 Summary: Cookie Signer class should use SHA-512 instead SHA-256 
for cookie signature
 Key: HIVE-24287
 URL: https://issues.apache.org/jira/browse/HIVE-24287
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


private static final String SHA_STRING = "SHA-256"; should use SHA-512 instead



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24118) Remove the unnecessary try/catch blocks in the TestHiveMetaStoreAuthorizer

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24118:


 Summary: Remove the unnecessary try/catch blocks in the 
TestHiveMetaStoreAuthorizer
 Key: HIVE-24118
 URL: https://issues.apache.org/jira/browse/HIVE-24118
 Project: Hive
  Issue Type: Bug
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


The catch-all exception in a lot of test cases in TestHiveMetaStoreAuthorizer 
is not good and can give false positive (eg. testD_CreateView_SuperUser), since 
the test will pass in case there is a MetaException thrown. The test added will 
pass without code modifications in the HiveMetastoreAuthorizer as well and 
hence it is not really a good regression test. Would be good to fix them up as 
well.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24098) Bump Jetty to 9.4.31.v20200723 to get rid of Tomcat CVE warnings

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24098:


 Summary: Bump Jetty to 9.4.31.v20200723 to get rid of Tomcat CVE 
warnings
 Key: HIVE-24098
 URL: https://issues.apache.org/jira/browse/HIVE-24098
 Project: Hive
  Issue Type: Bug
  Components: Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Jetty jar has some fixes for transitive CVEs (apache-jsp see details below).

When using the Apache JServ Protocol (AJP), care must be taken when trusting 
incoming connections to Apache Tomcat. Tomcat treats AJP connections as having 
higher trust than, for example, a similar HTTP connection. If such connections 
are available to an attacker, they can be exploited in ways that may be 
surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50, and 7.0.0 
to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that 
listened on all configured IP addresses. It was expected (and recommended in 
the security guide) that this Connector would be disabled if not required. This 
vulnerability report identified a mechanism that allowed: - returning arbitrary 
files from anywhere in the web application - processing any file in the web 
application as a JSP Further, if the web application allowed file upload and 
stored those files within the web application (or the attacker was able to 
control the content of the web application by some other means) then this, 
along with the ability to process a file as a JSP, made remote code execution 
possible. It is important to note that mitigation is only required if an AJP 
port is accessible to untrusted users.

So we need to upgrade jetty 9.4.30+ to get rid of Tomcat CVE warnings
 * 
[https://github.com/eclipse/jetty.project/commit/fedc7c65997d433bbdfc26fb3d861f8488f9c804]
 * 
[https://github.com/eclipse/jetty.project/commit/74a2ce7a4299014d0b8e4549961e7034ae24c3d1]

There are also a bunch of other misc fixes:

[https://github.com/eclipse/jetty.project/releases]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24048) Harmonise Jackson components to version 2.10.latest - Hive

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24048:


 Summary: Harmonise Jackson components to version 2.10.latest - Hive
 Key: HIVE-24048
 URL: https://issues.apache.org/jira/browse/HIVE-24048
 Project: Hive
  Issue Type: Bug
  Components: HiveServer2
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Hive uses the following jackson components not harmonised with 
jackson-databind's version (2.10.0)
 * jackson-dataformat-yaml 2.9.8
 * jackson-jaxrs-base 2.9.8

To avoid conflicts caused by version mismatches please harmonise it with 
jackson-databind's version.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24045) No logging related to when default database is created

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24045:


 Summary: No logging related to when default database is created
 Key: HIVE-24045
 URL: https://issues.apache.org/jira/browse/HIVE-24045
 Project: Hive
  Issue Type: Bug
  Components: Metastore
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


There does not appear to be any HMS logs related to when the "default" database 
is first created in Hive. This would be useful for troubleshooting.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-24026) HMS/Ranger Spark view authorization plan

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-24026:


 Summary: HMS/Ranger Spark view authorization plan
 Key: HIVE-24026
 URL: https://issues.apache.org/jira/browse/HIVE-24026
 Project: Hive
  Issue Type: Improvement
  Components: HiveServer2, Security
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


Currently, Ranger disallows Spark from creating virtual views via HMS because 
spark clients are normal users. We should have a capability where spark client 
can create views in HS2.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-23990) Thrift client throws TApplication Exception instead of TTransportException

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-23990:


 Summary: Thrift client throws TApplication Exception instead of 
TTransportException
 Key: HIVE-23990
 URL: https://issues.apache.org/jira/browse/HIVE-23990
 Project: Hive
  Issue Type: Bug
  Components: Tests
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala


When the thrift version is upgraded from 0.9.3 to 0.13, TServiceClient is 
throwing TApplicationException instead of TTransportException for a couple of 
tests in hive/ql. So TTransportException should be changed to TException which 
is more appropriate.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (HIVE-23969) Table owner info not being passed during show tables in database.

[Sai Hemanth Gantasala (Jira)]

Sai Hemanth Gantasala created HIVE-23969:


 Summary: Table owner info not being passed during show tables in 
database.
 Key: HIVE-23969
 URL: https://issues.apache.org/jira/browse/HIVE-23969
 Project: Hive
  Issue Type: Bug
  Components: Hive
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala
 Attachments: Screen Shot 2020-07-31 at 10.55.51 AM.png, Screen Shot 
2020-07-31 at 10.56.25 AM.png, Screen Shot 2020-07-31 at 10.56.51 AM.png

Table owner information is not being passed in HiveMetaStore. As a result, even 
though a user is the owner of tables, without a ranger policy, the user is 
unable to view the tables created by the self.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)