[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query
[ https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17107149#comment-17107149 ] Miklos Gergely commented on HIVE-23339: --- Thank you [~thejas] [~ShubhamChaurasia] I'd also suggest to find more meaningful names for the methods here. Currently all the functions declared in this interface are called "authorize", and they differ only in their signature. The aforementioned function is for (according to it's comment): "Authorization user level privileges.". Actually it is called only for create database commands, so we might as well rename it to something like authorizeCreateDatabase. The rest of the methods should be reviewed as well. It is not closely related to this jira, but as we'll change the API now anyway, we could do this now too. > SBA does not check permissions for DB location specified in Create database > query > - > > Key: HIVE-23339 > URL: https://issues.apache.org/jira/browse/HIVE-23339 > Project: Hive > Issue Type: Bug > Components: Hive >Affects Versions: 3.1.0 >Reporter: Riju Trivedi >Assignee: Shubham Chaurasia >Priority: Critical > Labels: pull-request-available > Attachments: HIVE-23339.01.patch > > Time Spent: 10m > Remaining Estimate: 0h > > With doAs=true and StorageBasedAuthorization provider, create database with > specific location succeeds even if user doesn't have access to that path. > > {code:java} > hadoop fs -ls -d /tmp/cannot_write > drwx-- - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write > create a database under /tmp/cannot_write. We would expect it to fail, but is > actually created successfully with "hive" as the owner: > rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location > '/tmp/cannot_write/rtrivedi_1'" > INFO : OK > No rows affected (0.116 seconds) > hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write > Found 1 items > drwx-- - hive hadoop 0 2020-04-01 23:05 /tmp/cannot_write/rtrivedi_1 > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query
[ https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17106945#comment-17106945 ] Thejas Nair commented on HIVE-23339: Yes, its fine to change this API. It is not widely used outside of Hive AFAIK. Ranger and others use a different HiveAuthorizer interface. > SBA does not check permissions for DB location specified in Create database > query > - > > Key: HIVE-23339 > URL: https://issues.apache.org/jira/browse/HIVE-23339 > Project: Hive > Issue Type: Bug > Components: Hive >Affects Versions: 3.1.0 >Reporter: Riju Trivedi >Assignee: Shubham Chaurasia >Priority: Critical > Labels: pull-request-available > Attachments: HIVE-23339.01.patch > > Time Spent: 10m > Remaining Estimate: 0h > > With doAs=true and StorageBasedAuthorization provider, create database with > specific location succeeds even if user doesn't have access to that path. > > {code:java} > hadoop fs -ls -d /tmp/cannot_write > drwx-- - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write > create a database under /tmp/cannot_write. We would expect it to fail, but is > actually created successfully with "hive" as the owner: > rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location > '/tmp/cannot_write/rtrivedi_1'" > INFO : OK > No rows affected (0.116 seconds) > hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write > Found 1 items > drwx-- - hive hadoop 0 2020-04-01 23:05 /tmp/cannot_write/rtrivedi_1 > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query
[ https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104351#comment-17104351 ] Miklos Gergely commented on HIVE-23339: --- As per our discussion with [~ShubhamChaurasia], I also believe that this is the right solution. We have to document it properly that the API has changed. > SBA does not check permissions for DB location specified in Create database > query > - > > Key: HIVE-23339 > URL: https://issues.apache.org/jira/browse/HIVE-23339 > Project: Hive > Issue Type: Bug > Components: Hive >Affects Versions: 3.1.0 >Reporter: Riju Trivedi >Assignee: Shubham Chaurasia >Priority: Critical > Labels: pull-request-available > Attachments: HIVE-23339.01.patch > > Time Spent: 10m > Remaining Estimate: 0h > > With doAs=true and StorageBasedAuthorization provider, create database with > specific location succeeds even if user doesn't have access to that path. > > {code:java} > hadoop fs -ls -d /tmp/cannot_write > drwx-- - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write > create a database under /tmp/cannot_write. We would expect it to fail, but is > actually created successfully with "hive" as the owner: > rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location > '/tmp/cannot_write/rtrivedi_1'" > INFO : OK > No rows affected (0.116 seconds) > hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write > Found 1 items > drwx-- - hive hadoop 0 2020-04-01 23:05 /tmp/cannot_write/rtrivedi_1 > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query
[ https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104347#comment-17104347 ] Shubham Chaurasia commented on HIVE-23339: -- Thanks for the pointers [~rtrivedi12]. Thanks for the review [~mgergely]. Based on our discussion, I agree that it would be cleaner to have an API with authorizer inputs and outputs rather than passing the properties in HiveConf as the current patch does. For context, currently we are having below API in {{HiveAuthorizationProvider}} {code:java} public void authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException; {code} Now in {{StorageBasedAuthorizationProvider}} we need some additional information, in this case the custom location of database from 'CREATE DATABASE' query. Current patch achieves this by passing the location via HiveConf. To be able to pass inputs and outputs explicitly we would need something like below - {code:java} public void authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv, Set inputs, Set outputs) throws HiveException, AuthorizationException; {code} But since {{HiveAuthorizationProvider}} is a public/pluggable interface, I am not sure about modifying it. [~hashutosh] [~thejas] [~mgergely] Does the above API look correct ? How to we usually modify authorizer APIs (or any public API) in hive ? Do we have a doc/guideline for this ? > SBA does not check permissions for DB location specified in Create database > query > - > > Key: HIVE-23339 > URL: https://issues.apache.org/jira/browse/HIVE-23339 > Project: Hive > Issue Type: Bug > Components: Hive >Affects Versions: 3.1.0 >Reporter: Riju Trivedi >Assignee: Shubham Chaurasia >Priority: Critical > Labels: pull-request-available > Attachments: HIVE-23339.01.patch > > Time Spent: 10m > Remaining Estimate: 0h > > With doAs=true and StorageBasedAuthorization provider, create database with > specific location succeeds even if user doesn't have access to that path. > > {code:java} > hadoop fs -ls -d /tmp/cannot_write > drwx-- - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write > create a database under /tmp/cannot_write. We would expect it to fail, but is > actually created successfully with "hive" as the owner: > rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location > '/tmp/cannot_write/rtrivedi_1'" > INFO : OK > No rows affected (0.116 seconds) > hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write > Found 1 items > drwx-- - hive hadoop 0 2020-04-01 23:05 /tmp/cannot_write/rtrivedi_1 > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query
[ https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104267#comment-17104267 ] Hive QA commented on HIVE-23339: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/13002598/HIVE-23339.01.patch {color:green}SUCCESS:{color} +1 due to 1 test(s) being added or modified. {color:green}SUCCESS:{color} +1 due to 17254 tests passed Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/22260/testReport Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/22260/console Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-22260/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.YetusPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase {noformat} This message is automatically generated. ATTACHMENT ID: 13002598 - PreCommit-HIVE-Build > SBA does not check permissions for DB location specified in Create database > query > - > > Key: HIVE-23339 > URL: https://issues.apache.org/jira/browse/HIVE-23339 > Project: Hive > Issue Type: Bug > Components: Hive >Affects Versions: 3.1.0 >Reporter: Riju Trivedi >Assignee: Shubham Chaurasia >Priority: Critical > Labels: pull-request-available > Attachments: HIVE-23339.01.patch > > Time Spent: 10m > Remaining Estimate: 0h > > With doAs=true and StorageBasedAuthorization provider, create database with > specific location succeeds even if user doesn't have access to that path. > > {code:java} > hadoop fs -ls -d /tmp/cannot_write > drwx-- - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write > create a database under /tmp/cannot_write. We would expect it to fail, but is > actually created successfully with "hive" as the owner: > rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location > '/tmp/cannot_write/rtrivedi_1'" > INFO : OK > No rows affected (0.116 seconds) > hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write > Found 1 items > drwx-- - hive hadoop 0 2020-04-01 23:05 /tmp/cannot_write/rtrivedi_1 > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query
[ https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104248#comment-17104248 ] Hive QA commented on HIVE-23339: | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 2m 7s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 8m 12s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 19s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 52s{color} | {color:green} master passed {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 33s{color} | {color:blue} common in master has 63 extant Findbugs warnings. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 3m 47s{color} | {color:blue} ql in master has 1527 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 11s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 29s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 46s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 19s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 1m 19s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 52s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 4m 34s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 8s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 15s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 29m 14s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Optional Tests | asflicense javac javadoc findbugs checkstyle compile | | uname | Linux hiveptest-server-upstream 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux | | Build tool | maven | | Personality | /data/hiveptest/working/yetus_PreCommit-HIVE-Build-22260/dev-support/hive-personality.sh | | git revision | master / ffba728 | | Default Java | 1.8.0_111 | | findbugs | v3.0.1 | | modules | C: common ql U: . | | Console output | http://104.198.109.242/logs//PreCommit-HIVE-Build-22260/yetus.txt | | Powered by | Apache Yetushttp://yetus.apache.org | This message was automatically generated. > SBA does not check permissions for DB location specified in Create database > query > - > > Key: HIVE-23339 > URL: https://issues.apache.org/jira/browse/HIVE-23339 > Project: Hive > Issue Type: Bug > Components: Hive >Affects Versions: 3.1.0 >Reporter: Riju Trivedi >Assignee: Shubham Chaurasia >Priority: Critical > Labels: pull-request-available > Attachments: HIVE-23339.01.patch > > Time Spent: 10m > Remaining Estimate: 0h > > With doAs=true and StorageBasedAuthorization provider, create database with > specific location succeeds even if user doesn't have access to that path. > > {code:java} > hadoop fs -ls -d /tmp/cannot_write > drwx-- - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write > create a database under /tmp/cannot_write. We would expect it to fail, but is > actually created successfully with "hive" as the owner: > rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location > '/tmp/cannot_write/rtrivedi_1'" > INFO : OK > No rows affected (0.116 seconds) > hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write
[jira] [Commented] (HIVE-23339) SBA does not check permissions for DB location specified in Create database query
[ https://issues.apache.org/jira/browse/HIVE-23339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17096477#comment-17096477 ] Riju Trivedi commented on HIVE-23339: - During doAuthorization() call for CreateDatabase operation , authorize is invoked only with read and write Privileges for the operation. {code:java} public void authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { {code} In StorageBasedAuth, we only call checkPermissions() for root warehouse dir (hive.metastore.warehouse.dir) and not the specified location. So, any user who does not have access to directory will be able to create database if they have access to warehouse path. {code:java} Path root = null; try { initWh(); root = wh.getWhRoot(); authorize(root, readRequiredPriv, writeRequiredPriv);{code} > SBA does not check permissions for DB location specified in Create database > query > - > > Key: HIVE-23339 > URL: https://issues.apache.org/jira/browse/HIVE-23339 > Project: Hive > Issue Type: Bug > Components: Hive >Affects Versions: 3.1.0 >Reporter: Riju Trivedi >Assignee: Shubham Chaurasia >Priority: Critical > > With doAs=true and StorageBasedAuthorization provider, create database with > specific location succeeds even if user doesn't have access to that path. > > {code:java} > hadoop fs -ls -d /tmp/cannot_write > drwx-- - hive hadoop 0 2020-04-01 22:53 /tmp/cannot_write > create a database under /tmp/cannot_write. We would expect it to fail, but is > actually created successfully with "hive" as the owner: > rtrivedi@bdp01:~> beeline -e "create database rtrivedi_1 location > '/tmp/cannot_write/rtrivedi_1'" > INFO : OK > No rows affected (0.116 seconds) > hive@hpchdd2e:~> hadoop fs -ls /tmp/cannot_write > Found 1 items > drwx-- - hive hadoop 0 2020-04-01 23:05 /tmp/cannot_write/rtrivedi_1 > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)