---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71532/#review218205
---
Ship it!
Code change looks good.
- kalyan kumar kalvagadda
On Sept. 25, 2019, 6:54 a.m., Wenchao Li wrote:
>
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71532/
> ---
>
> (Updated Sept. 25, 2019, 6:54 a.m.)
>
>
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
>
>
> Bugs: SENTRY-2533
> https://issues.apache.org/jira/browse/SENTRY-2533
>
>
> Repository: sentry
>
>
> Description
> ---
>
> HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
> disallowed some builtin UDFs such as java_method, reflect, reflect2 and
> in_file. But Sentry does not black in_file up to now, so a malicious user can
> use in_file in SQL queries to detect some specific files on the HS2 host, or
> to detect whether a specific file has specific content. in_file should be
> added to HIVE_UDF_BLACK_LIST.
>
>
> Diffs
> -
>
>
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
> 5c433290972d5ffc52ef342678b6b11e48f28cef
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
> c6e14a56004a934a025cc7abb2fe6646e5d36768
>
>
> Diff: https://reviews.apache.org/r/71532/diff/1/
>
>
> Testing
> ---
>
> Added a unit test to test if it is properly blacked.
>
>
> Thanks,
>
> Wenchao Li
>
>