Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-10022

Authorization checks for non existent file/directory should not be recursive

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.14.0
    • 2.1.1, 2.2.0
    • Authorization
    • None

    Description

      I am testing a query like :

      set hive.test.authz.sstd.hs2.mode=true;
      set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
      set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
      set hive.security.authorization.enabled=true;
      set user.name=user1;
      create table auth_noupd(i int) clustered by into 2 buckets stored as orc location '${OUTPUT}' TBLPROPERTIES ('transactional'='true');

      Now, in the above query, since authorization is true,
      we would end up calling doAuthorizationV2() which ultimately ends up calling SQLAuthorizationUtils.getPrivilegesFromFS() which calls a recursive method : FileUtils.isActionPermittedForFileHierarchy() with the object or the ancestor of the object we are trying to authorize if the object does not exist.

      The logic in FileUtils.isActionPermittedForFileHierarchy() is DFS.

      Now assume, we have a path as a/b/c/d that we are trying to authorize.
      In case, a/b/c/d does not exist, we would call FileUtils.isActionPermittedForFileHierarchy() with say a/b/ assuming a/b/c also does not exist.
      If under the subtree at a/b, we have millions of files, then FileUtils.isActionPermittedForFileHierarchy() is going to check file permission on each of those objects.

      I do not completely understand why do we have to check for file permissions in all the objects in branch of the tree that we are not trying to read from /write to.
      We could have checked file permission on the ancestor that exists and if it matches what we expect, the return true.

      Please confirm if this is a bug so that I can submit a patch else let me know what I am missing ?

      Attachments

        1. HIVE-10022.9.patch
          21 kB
          Sushanth Sowmyan
        2. HIVE-10022.8.patch
          21 kB
          Sushanth Sowmyan
        3. HIVE-10022.7.patch
          20 kB
          Sushanth Sowmyan
        4. HIVE-10022.6.patch
          20 kB
          Sushanth Sowmyan
        5. HIVE-10022.5.patch
          15 kB
          Sushanth Sowmyan
        6. HIVE-10022.4.patch
          15 kB
          Sushanth Sowmyan
        7. HIVE-10022.3.patch
          5 kB
          Sushanth Sowmyan
        8. HIVE-10022.2.patch
          4 kB
          Pankit Thapar
        9. HIVE-10022.patch
          4 kB
          Pankit Thapar

        Issue Links

          Activity

            People

              sushanth Sushanth Sowmyan
              pankit Pankit Thapar
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: