Hive
  1. Hive
  2. HIVE-5837

SQL standard based secure authorization for hive

    Details

      Description

      The current default authorization is incomplete and not secure. The alternative of storage based authorization provides security but does not provide fine grained authorization.

      The proposal is to support secure fine grained authorization in hive using SQL standard based authorization model.

        Issue Links

        1.
        SQL std auth - parser changes Sub-task Resolved Thejas M Nair

        100%

        Original Estimate - 96h Original Estimate - 96h
        Time Spent - 168h
         
        2.
        Add a hive authorization plugin api that does not assume privileges needed Sub-task Resolved Thejas M Nair

        100%

        Original Estimate - 120h
        Time Spent - 6h Time Not Required
         
        3.
        SQL std auth - Access control statement updates Sub-task Resolved Thejas M Nair

        16%

        Original Estimate - 48h
        Time Spent - 1.6h Remaining Estimate - 8h Time Not Required
         
        4.
        SQL std auth - implement set roles, show current roles Sub-task Resolved Ashutosh Chauhan

        0%

        Original Estimate - 36h
        Remaining Estimate - 36h
         
        5.
        SQL std auth - add metastore get_principals_in_role api, support SHOW PRINCIPALS role_name Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        6.
        SQL std auth - add list_all_roles to metastore api Sub-task Resolved Unassigned

        100%

        Original Estimate - 24h
        Time Spent - 1h Time Not Required
         
        7.
        SQL std auth - get_privilege_set should check role hierarchy Sub-task Resolved Unassigned

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        8.
        SQL std auth - add support to metastore api to list all privileges for a user Sub-task Resolved Unassigned

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        9.
        SQL std auth - support,authorize new 'show grant..' statements Sub-task Resolved Unassigned

        0%

        Original Estimate - 36h
        Remaining Estimate - 36h
         
        10.
        SQL std auth - support 'show roles' Sub-task Resolved Navis

        100%

        Original Estimate - 24h
        Time Spent - 24h
         
        11.
        SQL std auth - support DESCRIBE ROLE Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        12.
        SQL std auth - authorize DESCRIBE ROLE role Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 12h
        Remaining Estimate - 12h
         
        13.
        SQL std auth - authorize show all roles, create role, drop role Sub-task Resolved Ashutosh Chauhan

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        14.
        SQL std auth - authorize grant/revoke roles Sub-task Resolved Ashutosh Chauhan

        0%

        Original Estimate - 48h
        Remaining Estimate - 48h
         
        15.
        SQL std auth - authorize grant/revoke on table Sub-task Resolved Thejas M Nair

        100%

        Original Estimate - 120h Original Estimate - 120h
        Time Spent - 144h
         
        16.
        SQL std auth - metastore api support for get_privilege_set api that checks specific role Sub-task Resolved Unassigned

        100%

        Original Estimate - 48h
        Time Spent - 24h Time Not Required
         
        17.
        SQL std auth - authorize statements that work with paths Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 72h
        Remaining Estimate - 72h
         
        18.
        SQL std auth - bootstrap SUPERUSER roles Sub-task Resolved Ashutosh Chauhan

        100%

        Original Estimate - 72h
        Time Spent - 24h Time Not Required
         
        19.
        SQL std auth - special handling of PUBLIC role Sub-task Resolved Ashutosh Chauhan

        100%

        Original Estimate - 24h
        Time Spent - 24h
         
        20.
        sql standard auth should disable commands that impose security risk Sub-task Resolved Ashutosh Chauhan

        0%

        Original Estimate - 72h
        Remaining Estimate - 72h
         
        21.
        SQL std auth - authorize create database Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 48h
        Remaining Estimate - 48h
         
        22.
        SQL std auth - support granted-by in grant statements Sub-task Resolved Unassigned

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        23.
        SQL std auth - support new privileges INSERT, DELETE Sub-task Resolved Thejas M Nair

        100%

        Original Estimate - 12h
        Time Spent - 9h Time Not Required
         
        24.
        SQL std auth - make role/user optional in grant/revoke statements Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        25.
        support grant/revoke on views - parser changes Sub-task Resolved Ashutosh Chauhan

        100%

        Original Estimate - 24h
        Time Spent - 24h
         
        26.
        sql std auth - authorize 'show roles' Sub-task Resolved Ashutosh Chauhan

        0%

        Original Estimate - 12h
        Remaining Estimate - 12h
         
        27.
        sql std auth - view authorization should not underlying table. More tests and fixes. Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        28.
        sql std auth - support 'with admin option' in revoke role metastore api Sub-task Closed Jason Dere

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        29.
        sql std auth - revoke role should support sql standard syntax for admin option Sub-task Resolved Unassigned

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        30.
        sql standard auth - use admin option specified in grant/revoke role statement Sub-task Resolved Ashutosh Chauhan

        0%

        Original Estimate - 12h
        Remaining Estimate - 12h
         
        31.
        sql std auth - disallow cycles between roles Sub-task Resolved Thejas M Nair

        100%

        Original Estimate - 24h
        Time Spent - 24h
         
        32.
        sql std auth - pass username from sessionstate to v2 authorization interface Sub-task Resolved Thejas M Nair

        100%

        Original Estimate - 24h
        Time Spent - 24h
         
        33.
        sql std auth - document configuration necessary for security Sub-task Resolved Thejas M Nair

        0%

        Original Estimate - 12h
        Remaining Estimate - 12h
         
        34.
        sql std auth - revoke privileges api in metastore should check grantor user Sub-task Resolved Unassigned

        0%

        Original Estimate - 24h
        Remaining Estimate - 24h
         
        35.
        sql std auth - database should have an owner Sub-task Resolved Ashutosh Chauhan  
         
        36.
        Test authorization_revoke_table_priv.q is failing on trunk Sub-task Resolved Thejas M Nair  
         
        37.
        Disallow transform clause in sql std authorization mode Sub-task Resolved Ashutosh Chauhan  
         
        38.
        sql std auth - new users in admin role config should get added Sub-task Resolved Ashutosh Chauhan  
         
        39.
        SQL std auth - revert change for view keyword in grant statement Sub-task Resolved Thejas M Nair  
         
        40.
        SQL std auth - allow grant/revoke roles if user has ADMIN OPTION Sub-task Resolved Ashutosh Chauhan  
         
        41.
        Restrict function create/drop to admin roles Sub-task Resolved Jason Dere  
         
        42.
        sql std auth - add command to change owner of database Sub-task Resolved Thejas M Nair  
         
        43.
        SQL std auth - only db owner should be allowed to create table within a db Sub-task Resolved Ashutosh Chauhan  
         
        44.
        SQL std auth - pass username from hiveserver2 to sessionstate Sub-task Resolved Thejas M Nair  
         
        45.
        "show grant ... on all" fails with NPE Sub-task Resolved Thejas M Nair  
         
        46.
        sql std auth - show grant statement for all principals throws NPE Sub-task Resolved Thejas M Nair  
         
        47.
        Revoke privilege should support revoking of grant option Sub-task Closed Jason Dere  
         

          Activity

          No work has yet been logged on this issue.

            People

            • Assignee:
              Thejas M Nair
              Reporter:
              Thejas M Nair
            • Votes:
              0 Vote for this issue
              Watchers:
              24 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1,284h
                1,284h
                Remaining:
                Time Spent - 497.6h Remaining Estimate - 632h
                632h
                Logged:
                Time Spent - 497.6h Remaining Estimate - 632h Time Not Required
                497.6h

                  Development