Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-5989

Hive metastore authorization check is not threadsafe

Log workAgile BoardRank to TopRank to BottomBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 0.11.0, 0.12.0, 0.12.1
    • 0.13.0
    • Metastore, Security
    • None

    Description

      Metastore-side authorization has a couple of pretty important threadsafety bugs in it:

      a) The HiveMetastoreAuthenticated instantiated by the AuthorizationPreEventListener is static. This is a premature optimization and incorrect, as it will result in Authenticator implementations that store state potentially giving an incorrect result, and this bug very much exists with the DefaultMetastoreAuthenticator.

      b) It assumes HMSHandler.getHiveConf() is itself going to be thread-safe, which it is not. HMSHandler.getConf() is the appropriate thread-safe equivalent.

      The effect of this bug is that if there are two users that are concurrently running jobs on the metastore, we might :

      a) Allow a user to do something they didn't have permission to, because the other person did. (Security hole)
      b) Disallow a user from doing something they should have permission to (More common - annoying and can cause job failures)

      Attachments

        1. SleepyAP.patch
          5 kB
          Sushanth Sowmyan
        2. HIVE-5989.patch
          9 kB
          Sushanth Sowmyan
        3. HIVE-5989.2.patch
          9 kB
          Sushanth Sowmyan

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sushanth Sushanth Sowmyan Assign to me
            sushanth Sushanth Sowmyan
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment