Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
A possible info leak in the way how beeline connects to databases and uses the ACLs to prevent seeing unauthorised databases and tables.
It turns out that one can connect to a database that one should not see, but listing it afterwards gives no tables. This is still somewhat a security breach as an attacker can gain insight what databases exist.
The way the problem got identified:
root@prod-vm-cdh-mgr-01 ~]# kinit -kt ~test_mval.keytab test_mval
[root@prod-vm-cdh-mgr-01 ~]# beeline
Beeline version 1.1.0-cdh5.4.8 by Apache Hive
beeline> !connect jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCD
scan complete in 6ms
Connecting to jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCDÂ
Enter username for jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCD:
Enter password for jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCD:
Connected to: Apache Hive (version 1.1.0-cdh5.4.8)
Driver: Hive JDBC (version 1.1.0-cdh5.4.8)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://host:10000/testdb> show databases;
-----------------+
database_name
-----------------+
test_mvaldb
default
-----------------+
2 rows selected (0.726 seconds)
0: jdbc:hive2://host:10000/testdb> show tables;
-----------+
tab_name
-----------+
-----------+
No rows selected (1.033 seconds)
0: jdbc:hive2://host:10000/testdb> !quit
Closing: 0: jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCD
[root@foo ~]# beeline
Beeline version 1.1.0-cdh5.4.8 by Apache Hive
beeline> !connect jdbc:hive2://host:10000/asdasdasdasd;principal=hive/_HOST@ABCDÂ
scan complete in 2ms
Connecting to jdbc:hive2://host:10000/asdasdasdasd;principal=hive/_HOST@ABCD
Enter username for jdbc:hive2://host:10000/asdasdasdasd;principal=hive/_HOST@ABCD:
Enter password for jdbc:hive2://host:10000/asdasdasdasd;principal=hive/_HOST@ABCD:
Connected to: Apache Hive (version 1.1.0-cdh5.4.8)
Driver: Hive JDBC (version 1.1.0-cdh5.4.8)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://host:10000/asdas> show tables;
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Database does not exist: asdasdasdasd (state=08S01,code=1)
0: jdbc:hive2://host:10000/asdas> !connect jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCD
Connecting to jdbc:hive2://vm-cdh-01:10000/testdb;principal=hive/_HOST@ABCD
Enter username for jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCD:
Enter password for jdbc:hive2://host:10000/testdb;principal=hive/_HOST@ABCD:
Connected to: Apache Hive (version 1.1.0-cdh5.4.8)
Driver: Hive JDBC (version 1.1.0-cdh5.4.8)
Transaction isolation: TRANSACTION_REPEATABLE_READ
1: jdbc:hive2://host:10000/testdb> show tables;
-----------+
tab_name
-----------+
-----------+
No rows selected (1.09 seconds)
1: jdbc:hive2://host:10000/testdb>
1: jdbc:hive2://host:10000/testdb>
1: jdbc:hive2://host:10000/testdb>
1: jdbc:hive2://host:10000/testdb>
1: jdbc:hive2://host:10000/testdb>
1: jdbc:hive2://host:10000/testdb> !quit;
Unknown command: quit;
1: jdbc:hive2://host:10000/testdb> !quit;
Unknown command: quit;
1: jdbc:hive2://host:10000/testdb> !quit