[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[ https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15596830#comment-15596830 ] Shannon Ladymon commented on HIVE-14099: Doc done. Removing TODOC2.2 label. > Hive security authorization can be disabled by users > > > Key: HIVE-14099 > URL: https://issues.apache.org/jira/browse/HIVE-14099 > Project: Hive > Issue Type: Improvement > Components: Authorization >Affects Versions: 0.13.1 >Reporter: Prashant Kumar Singh >Assignee: Aihua Xu > Fix For: 2.2.0 > > Attachments: HIVE-14099.1.patch > > > In case we enables : > hive.security.authorization.enabled=true in hive-site.xml > this setting can be disabled by users at their hive prompt. There should be > hardcoded setting in the configs. > The other thing is once we enable authorization, the tables that got created > before enabling looses access as they don't have authorization defined. How > this situation can be tackled in hive. > Note that this issue does not affect SQL standard or ranger authorization > plugin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[ https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15554428#comment-15554428 ] Lefty Leverenz commented on HIVE-14099: --- Doc note: This changes the default value of *hive.conf.restricted.list* so the wiki needs to be updated. (It's out of date anyway: the default changed in 0.13.0 with HIVE-5953, 0.14.0 with HIVE-6437, and 2.1.0 with HIVE-13853.) * [Configuration Properties -- hive.conf.restricted.list | https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.conf.restricted.list] Added a TODOC2.2 label. > Hive security authorization can be disabled by users > > > Key: HIVE-14099 > URL: https://issues.apache.org/jira/browse/HIVE-14099 > Project: Hive > Issue Type: Improvement > Components: Authorization >Affects Versions: 0.13.1 >Reporter: Prashant Kumar Singh >Assignee: Aihua Xu > Labels: TODOC2.2 > Fix For: 2.2.0 > > Attachments: HIVE-14099.1.patch > > > In case we enables : > hive.security.authorization.enabled=true in hive-site.xml > this setting can be disabled by users at their hive prompt. There should be > hardcoded setting in the configs. > The other thing is once we enable authorization, the tables that got created > before enabling looses access as they don't have authorization defined. How > this situation can be tackled in hive. > Note that this issue does not affect SQL standard or ranger authorization > plugin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15552496#comment-15552496
]
Thejas M Nair commented on HIVE-14099:
--
Adding a note that this does not affect SQL Standard or ranger authorization
plugin. They both use a config whitelist, for set of configs that are allowed
to be modified.
With SQL std auth or ranger you would get an error message like the following -
{code}
0: jdbc:hive2://localhost:1/default> set
hive.security.authorization.enabled=false;
Error: Error while processing statement: Cannot modify
hive.security.authorization.enabled at runtime. It is not in list of params
that are allowed to be modified at runtime (state=42000,code=1)
{code}
This issue would affect [legacy authorization
mode|https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode],
which is inherently unsecure.
Also, trying to secure hive-cli this way is meaningless, you can specify any
config options on commandline to override the settings, or point it to a
different config directly, or even read directly from HDFS.
> Hive security authorization can be disabled by users
>
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
> Issue Type: Improvement
> Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Fix For: 2.2.0
>
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created
> before enabling looses access as they don't have authorization defined. How
> this situation can be tackled in hive.
> Note that this issue does not affect SQL standard or ranger authorization
> plugin.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[ https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15546754#comment-15546754 ] Yongzhi Chen commented on HIVE-14099: - The fix looks fine. +1 > Hive security authorization can be disabled by users > > > Key: HIVE-14099 > URL: https://issues.apache.org/jira/browse/HIVE-14099 > Project: Hive > Issue Type: Improvement > Components: Authorization >Affects Versions: 0.13.1 >Reporter: Prashant Kumar Singh >Assignee: Aihua Xu > Attachments: HIVE-14099.1.patch > > > In case we enables : > hive.security.authorization.enabled=true in hive-site.xml > this setting can be disabled by users at their hive prompt. There should be > hardcoded setting in the configs. > The other thing is once we enable authorization, the tables that got created > before enabling looses access as they don't have authorization defined. How > this situation can be tackled in hive. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15546683#comment-15546683
]
Aihua Xu commented on HIVE-14099:
-
[~prash.si...@gmail.com] I guess you mean {{ loses access}} rather than
{{looses access}}. Is that right? I think that's expected and admin needs to
grant access permission to the user to access.
> Hive security authorization can be disabled by users
>
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
> Issue Type: Improvement
> Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created
> before enabling looses access as they don't have authorization defined. How
> this situation can be tackled in hive.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[ https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15529837#comment-15529837 ] Aihua Xu commented on HIVE-14099: - I think the authorization works as follows: if you have createtable permission, then you will be able to create. The other users may not have access to such table until the access permission is granted. So they are two different types of permissions. Not sure if I understand the question properly. :) > Hive security authorization can be disabled by users > > > Key: HIVE-14099 > URL: https://issues.apache.org/jira/browse/HIVE-14099 > Project: Hive > Issue Type: Improvement > Components: Authorization >Affects Versions: 0.13.1 >Reporter: Prashant Kumar Singh >Assignee: Aihua Xu > Attachments: HIVE-14099.1.patch > > > In case we enables : > hive.security.authorization.enabled=true in hive-site.xml > this setting can be disabled by users at their hive prompt. There should be > hardcoded setting in the configs. > The other thing is once we enable authorization, the tables that got created > before enabling looses access as they don't have authorization defined. How > this situation can be tackled in hive. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[ https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15529797#comment-15529797 ] Yongzhi Chen commented on HIVE-14099: - [~aihuaxu], the patch is a reasonable change, but how to handle the second issue in the jira? The other thing is once we enable authorization, the tables that got created before enabling looses access as they don't have authorization defined. How this situation can be tackled in hive. > Hive security authorization can be disabled by users > > > Key: HIVE-14099 > URL: https://issues.apache.org/jira/browse/HIVE-14099 > Project: Hive > Issue Type: Improvement > Components: Authorization >Affects Versions: 0.13.1 >Reporter: Prashant Kumar Singh >Assignee: Aihua Xu > Attachments: HIVE-14099.1.patch > > > In case we enables : > hive.security.authorization.enabled=true in hive-site.xml > this setting can be disabled by users at their hive prompt. There should be > hardcoded setting in the configs. > The other thing is once we enable authorization, the tables that got created > before enabling looses access as they don't have authorization defined. How > this situation can be tackled in hive. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15527700#comment-15527700
]
Hive QA commented on HIVE-14099:
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12830528/HIVE-14099.1.patch
{color:red}ERROR:{color} -1 due to no test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 6 failed/errored test(s), 10644 tests
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[acid_mapjoin]
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[ctas]
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[vector_join_part_col_char]
org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver[explainuser_3]
org.apache.hadoop.hive.metastore.TestMetaStoreMetrics.testMetaDataCounts
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testAddJarConstructorUnCaching
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/1318/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/1318/console
Test logs:
http://ec2-204-236-174-241.us-west-1.compute.amazonaws.com/logs/PreCommit-HIVE-Build-1318/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 6 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 12830528 - PreCommit-HIVE-Build
> Hive security authorization can be disabled by users
>
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
> Issue Type: Improvement
> Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created
> before enabling looses access as they don't have authorization defined. How
> this situation can be tackled in hive.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users
[ https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15526874#comment-15526874 ] Aihua Xu commented on HIVE-14099: - Of course, the admin can configure hive.conf.restricted.list even without this patch. But seems it's reasonable to add them as default ones. > Hive security authorization can be disabled by users > > > Key: HIVE-14099 > URL: https://issues.apache.org/jira/browse/HIVE-14099 > Project: Hive > Issue Type: Improvement > Components: Authorization >Affects Versions: 0.13.1 >Reporter: Prashant Kumar Singh >Assignee: Aihua Xu > Attachments: HIVE-14099.1.patch > > > In case we enables : > hive.security.authorization.enabled=true in hive-site.xml > this setting can be disabled by users at their hive prompt. There should be > hardcoded setting in the configs. > The other thing is once we enable authorization, the tables that got created > before enabling looses access as they don't have authorization defined. How > this situation can be tackled in hive. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
