Terry, Yes this is seen with SQL stardard authorization, Ranger and I suppose Sentry based authorization as well. Hive was not passing the table objects to the authorization plugin implementations during authorization api calls.
On Wed, Nov 7, 2018 at 1:49 PM Terry <tharu...@gmail.com> wrote: > > Daniel - Is this happening when beeline security is enabled? Can you provide > a link for more info on this? > > On Wed, Nov 7, 2018 at 14:25 Daniel Dai <da...@apache.org> wrote: >> >> CVE-2018-1314: Hive explain query not being authorized >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: This vulnerability affects all versions of Hive, >> including 2.3.3, 3.1.0 and earlier >> >> Description: Hive "EXPLAIN" operation does not check for necessary >> authorization of involved entities in a query. An unauthorized user >> can do "EXPLAIN" on arbitrary table or view and expose table metadata >> and statistics. >> >> Mitigation: all Hive users shall upgrade to 2.3.4 or 3.1.1 or later