[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-10-21 Thread Shannon Ladymon (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15596830#comment-15596830
 ] 

Shannon Ladymon commented on HIVE-14099:


Doc done. Removing TODOC2.2 label.

> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Fix For: 2.2.0
>
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.
> Note that this issue does not affect SQL standard or ranger authorization 
> plugin.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-10-07 Thread Lefty Leverenz (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15554428#comment-15554428
 ] 

Lefty Leverenz commented on HIVE-14099:
---

Doc note:  This changes the default value of *hive.conf.restricted.list* so the 
wiki needs to be updated.  (It's out of date anyway:  the default changed in 
0.13.0 with HIVE-5953, 0.14.0 with HIVE-6437, and 2.1.0 with HIVE-13853.)

* [Configuration Properties -- hive.conf.restricted.list | 
https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.conf.restricted.list]

Added a TODOC2.2 label.

> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
>  Labels: TODOC2.2
> Fix For: 2.2.0
>
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.
> Note that this issue does not affect SQL standard or ranger authorization 
> plugin.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-10-06 Thread Thejas M Nair (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15552496#comment-15552496
 ] 

Thejas M Nair commented on HIVE-14099:
--

Adding a note that this does not affect SQL Standard or ranger authorization 
plugin. They both use a config whitelist, for set of configs that are allowed 
to be modified.

With SQL std auth or ranger you would get an error message like the following -
{code}
0: jdbc:hive2://localhost:1/default> set 
hive.security.authorization.enabled=false;
Error: Error while processing statement: Cannot modify 
hive.security.authorization.enabled at runtime. It is not in list of params 
that are allowed to be modified at runtime (state=42000,code=1)
{code}

This issue would affect [legacy authorization 
mode|https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode],
 which is inherently unsecure. 

Also, trying to secure hive-cli this way is meaningless, you can specify any 
config options on commandline to override the settings, or point it to a 
different config directly, or even read directly from HDFS.



> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Fix For: 2.2.0
>
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.
> Note that this issue does not affect SQL standard or ranger authorization 
> plugin.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-10-04 Thread Yongzhi Chen (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15546754#comment-15546754
 ] 

Yongzhi Chen commented on HIVE-14099:
-

The fix looks fine. +1

> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-10-04 Thread Aihua Xu (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15546683#comment-15546683
 ] 

Aihua Xu commented on HIVE-14099:
-

[~prash.si...@gmail.com] I guess you mean {{ loses access}} rather than 
{{looses access}}. Is that right? I think that's expected and admin needs to 
grant access permission to the user to access. 



> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-09-28 Thread Aihua Xu (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529837#comment-15529837
 ] 

Aihua Xu commented on HIVE-14099:
-

I think the authorization works as follows: if you have createtable permission, 
then you will be able to create. The other users may not have access to such 
table until the access permission is granted. So they are two different types 
of permissions. Not sure if I understand the question properly. :)

> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-09-28 Thread Yongzhi Chen (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529797#comment-15529797
 ] 

Yongzhi Chen commented on HIVE-14099:
-

[~aihuaxu], the patch is a reasonable change, but how to handle the second 
issue in the jira?

The other thing is once we enable authorization, the tables that got created 
before enabling looses access as they don't have authorization defined. How 
this situation can be tackled in hive.

> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-09-27 Thread Hive QA (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15527700#comment-15527700
 ] 

Hive QA commented on HIVE-14099:




Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12830528/HIVE-14099.1.patch

{color:red}ERROR:{color} -1 due to no test(s) being added or modified.

{color:red}ERROR:{color} -1 due to 6 failed/errored test(s), 10644 tests 
executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[acid_mapjoin]
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[ctas]
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver[vector_join_part_col_char]
org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver[explainuser_3]
org.apache.hadoop.hive.metastore.TestMetaStoreMetrics.testMetaDataCounts
org.apache.hive.jdbc.TestJdbcWithMiniHS2.testAddJarConstructorUnCaching
{noformat}

Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/1318/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/1318/console
Test logs: 
http://ec2-204-236-174-241.us-west-1.compute.amazonaws.com/logs/PreCommit-HIVE-Build-1318/

Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 6 tests failed
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12830528 - PreCommit-HIVE-Build

> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Commented] (HIVE-14099) Hive security authorization can be disabled by users

2016-09-27 Thread Aihua Xu (JIRA)

[ 
https://issues.apache.org/jira/browse/HIVE-14099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15526874#comment-15526874
 ] 

Aihua Xu commented on HIVE-14099:
-

Of course, the admin can configure hive.conf.restricted.list even without this 
patch. But seems it's reasonable to add them as default ones.

> Hive security authorization can be disabled by users
> 
>
> Key: HIVE-14099
> URL: https://issues.apache.org/jira/browse/HIVE-14099
> Project: Hive
>  Issue Type: Improvement
>  Components: Authorization
>Affects Versions: 0.13.1
>Reporter: Prashant Kumar Singh
>Assignee: Aihua Xu
> Attachments: HIVE-14099.1.patch
>
>
> In case we enables :
> hive.security.authorization.enabled=true in hive-site.xml
> this setting can be disabled by users at their hive prompt. There should be 
> hardcoded setting in the configs.
> The other thing is once we enable authorization, the tables that got created 
> before enabling looses access as they don't have authorization defined. How 
> this situation can be tackled in hive.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)