Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
All Versions
Description
When Apache Hue or any other application which uses #get_table_meta API is not gated to use any of the authorization model which HiveMetastore provides.
For more information on Storage based Authorization Model : https://cwiki.apache.org/confluence/display/Hive/HCatalog+Authorization
You can easily reproduce this with Apache Hive + Apache Hue
<property> <name>hive.security.metastore.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value> </property> <property> <name>hive.security.metastore.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value> </property> <property> <name>hive.metastore.pre.event.listeners</name> <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value> </property>
#!/bin/bash set -x hdfs dfs -mkdir /datasets hdfs dfs -mkdir /datasets/database1 hdfs dfs -mkdir /datasets/database1/table1 echo "stefano,1992" | hdfs dfs -put - /datasets/database1/table1/file1.csv hdfs dfs -chmod -R 700 /datasets/database1 sudo tee -a setup.hql > /dev/null <<EOT CREATE DATABASE IF NOT EXISTS database1 LOCATION "/datasets/database1"; CREATE EXTERNAL TABLE IF NOT EXISTS database1.table1 ( name string, year int) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' LOCATION '/datasets/database1/table1'; EOT hive -f setup.hql
1. Login to Hue => create the first user called "admin" and provide a password Access the Hive Editor
2. On the SQL section on the left under Databases you should see default and database1 listed. Click on database1
3. As you can see a table called table1 is listed => this should not be possible as our admin user has no HDFS grants on /datasets/database1
4. run from the Hive editor the following query SHOW TABLES; The output shows a Permission denied error => this is the expected behavior
Attachments
Attachments
Issue Links
- links to