[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15380219#comment-15380219
]
Sravya Tirukkovalur commented on SENTRY-1209:
-
[~Tagar], This would be in the next release 1.8.0. Thanks!
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Fix For: 1.8.0
>
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch,
> SENTRY-1209.006.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15379860#comment-15379860
]
Ruslan Dautkhanov commented on SENTRY-1209:
---
thank you. which Sentry release this patch will be included in?
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch,
> SENTRY-1209.006.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15378711#comment-15378711
]
Colin Ma commented on SENTRY-1209:
--
Yes, the test case is in
TestDbPrivilegeCleanupOnDrop.testDropAndRenameWithMultiAction().
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch,
> SENTRY-1209.006.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15378705#comment-15378705
]
Sravya Tirukkovalur commented on SENTRY-1209:
-
+1. Do we have coverage for rename db1.tb1 to db1.tb2?
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch,
> SENTRY-1209.006.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15378704#comment-15378704
]
Colin Ma commented on SENTRY-1209:
--
[~sravya], update the RB. Thanks for review.
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch,
> SENTRY-1209.006.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15345569#comment-15345569
]
Colin Ma commented on SENTRY-1209:
--
[~sravya], thanks for your comments, I agree that the minimum action should be
added to auth model for rename operation.
Will update the auth model with drop and create.
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15341556#comment-15341556
]
Sravya Tirukkovalur commented on SENTRY-1209:
-
Reposting my comment from RB
Thanks for the change! The more I think about it, I feel we should be double
careful when making auth model change.
I am trying to think what the user behavior change would be for:
Alter table rename db1.tb1 to db1.tb2: We are essentially dropping db1.tb1 and
creating db1.tb2. So at minimum create and drop on db1 are required. Would
requiring all cause any inflexibility?
Alter table rename db1.tb1 to db2.tb2: At a minimum, user needs drop on db1 and
create on db2. Would requiring all cause any inflexibility?
And also what should our upgrade recommendation be?
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15340794#comment-15340794
]
Colin Ma commented on SENTRY-1209:
--
[~sravya], any comment for the latest patch?
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15317772#comment-15317772
]
Hadoop QA commented on SENTRY-1209:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12808536/SENTRY-1209.005.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1681/console
This message is automatically generated.
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15316321#comment-15316321
]
Hadoop QA commented on SENTRY-1209:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12808244/SENTRY-1209.003.patch
against master.
{color:red}Overall:{color} -1 due to 4 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.tests.e2e.hive.TestOperationsPart1
{color:red}ERROR:{color} Failed:
org.apache.sentry.tests.e2e.dbprovider.TestDbOperationsPart1
{color:red}ERROR:{color} Failed:
org.apache.sentry.tests.e2e.dbprovider.TestDbOperationsPart1
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1674/console
This message is automatically generated.
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15316249#comment-15316249
]
Colin Ma commented on SENTRY-1209:
--
[~sravya], thanks for the comments, the patch is updated according to your
comments.
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch,
> SENTRY-1209.003.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15307175#comment-15307175
]
Hadoop QA commented on SENTRY-1209:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12807024/SENTRY-1209.002.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/1658/console
This message is automatically generated.
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Assignee: Colin Ma
>Priority: Critical
> Labels: security
> Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch
>
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15303350#comment-15303350
]
Colin Ma commented on SENTRY-1209:
--
[~sravya], I'll handle this problem.
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Priority: Critical
> Labels: security
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[
https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15303158#comment-15303158
]
Sravya Tirukkovalur commented on SENTRY-1209:
-
Would be good to fix this. [~colinma] will you be interested in picking this up?
> Sentry does not block Hive's cross-schema table renames
> ---
>
> Key: SENTRY-1209
> URL: https://issues.apache.org/jira/browse/SENTRY-1209
> Project: Sentry
> Issue Type: Bug
> Components: Core, Hive Binding, Hive Plugin, Sentry
>Affects Versions: 1.5.1
> Environment: CDH 5.5.2
>Reporter: Ruslan Dautkhanov
>Priority: Critical
> Labels: security
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
> Hive allows to use rename table syntax to move tables across schemas, not
> just rename.
> Sentry does not check security boundaries in this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
