Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-9473

sql std auth should disallow built-in udfs that allow any java methods to be called

    Details

    • Release Note:
      Hide
      SQL Standard authorization will disable the udfs reflect, reflect2 and java_method by automatically setting the udf blacklist config parameter (hive.server2.builtin.udf.blacklist). However, if HiveServer2 admin chooses to set the config param to a specific value, it will not be altered.
      Show
      SQL Standard authorization will disable the udfs reflect, reflect2 and java_method by automatically setting the udf blacklist config parameter (hive.server2.builtin.udf.blacklist). However, if HiveServer2 admin chooses to set the config param to a specific value, it will not be altered.

      Description

      As mentioned in HIVE-8893, some udfs can be used to execute arbitrary java methods. This should be disallowed when sql standard authorization is used.

      1. HIVE-9473.1.patch
        11 kB
        Thejas M Nair

        Issue Links

          Activity

          Hide
          leftylev Lefty Leverenz added a comment -

          Added TODOC1.0 label.

          Show
          leftylev Lefty Leverenz added a comment - Added TODOC1.0 label.
          Hide
          thejas Thejas M Nair added a comment -

          This issue has been fixed in Apache Hive 1.0.0. If there is any issue with the fix, please open a new jira to address it.

          Show
          thejas Thejas M Nair added a comment - This issue has been fixed in Apache Hive 1.0.0. If there is any issue with the fix, please open a new jira to address it.
          Hide
          thejas Thejas M Nair added a comment -

          Updating release version for jiras resolved in 1.0.0 .

          Show
          thejas Thejas M Nair added a comment - Updating release version for jiras resolved in 1.0.0 .
          Hide
          brocknoland Brock Noland added a comment -

          Commited to 1.1.0, thx!

          Show
          brocknoland Brock Noland added a comment - Commited to 1.1.0, thx!
          Hide
          leftylev Lefty Leverenz added a comment -

          Should this be documented in the SQL Standard Based Hive Authorization wikidoc (along with the configuration parameters created in HIVE-8893hive.server2.builtin.udf.whitelist & hive.server2.builtin.udf.blacklist)?

          Show
          leftylev Lefty Leverenz added a comment - Should this be documented in the SQL Standard Based Hive Authorization wikidoc (along with the configuration parameters created in HIVE-8893 – hive.server2.builtin.udf.whitelist & hive.server2.builtin.udf.blacklist )? SQL Standard Based Hive Authorization Configuration
          Hide
          thejas Thejas M Nair added a comment -

          Patch committed to 1.0 branch and trunk.
          Brock Noland Can you please merge this into branch-1.1 ?

          Show
          thejas Thejas M Nair added a comment - Patch committed to 1.0 branch and trunk. Brock Noland Can you please merge this into branch-1.1 ?
          Hide
          vikram.dixit Vikram Dixit K added a comment -

          +1 for 1.0.0

          Show
          vikram.dixit Vikram Dixit K added a comment - +1 for 1.0.0
          Hide
          thejas Thejas M Nair added a comment -

          Vikram Dixit K I would like to get this along with HIVE-8893 in to 1.0.0 as well. This is a security fix.

          Show
          thejas Thejas M Nair added a comment - Vikram Dixit K I would like to get this along with HIVE-8893 in to 1.0.0 as well. This is a security fix.
          Hide
          hiveqa Hive QA added a comment -

          Overall: -1 at least one tests failed

          Here are the results of testing the latest attachment:
          https://issues.apache.org/jira/secure/attachment/12694865/HIVE-9473.1.patch

          ERROR: -1 due to 4 failed/errored test(s), 7407 tests executed
          Failed tests:

          org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_schemeAuthority
          org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_join38
          org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_subquery_in
          org.apache.hive.hcatalog.templeton.TestWebHCatE2e.getHiveVersion
          

          Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/2564/testReport
          Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/2564/console
          Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-2564/

          Messages:

          Executing org.apache.hive.ptest.execution.PrepPhase
          Executing org.apache.hive.ptest.execution.ExecutionPhase
          Executing org.apache.hive.ptest.execution.ReportingPhase
          Tests exited with: TestsFailedException: 4 tests failed
          

          This message is automatically generated.

          ATTACHMENT ID: 12694865 - PreCommit-HIVE-TRUNK-Build

          Show
          hiveqa Hive QA added a comment - Overall : -1 at least one tests failed Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12694865/HIVE-9473.1.patch ERROR: -1 due to 4 failed/errored test(s), 7407 tests executed Failed tests: org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_schemeAuthority org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_join38 org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_subquery_in org.apache.hive.hcatalog.templeton.TestWebHCatE2e.getHiveVersion Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/2564/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/2564/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-2564/ Messages: Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 4 tests failed This message is automatically generated. ATTACHMENT ID: 12694865 - PreCommit-HIVE-TRUNK-Build
          Hide
          jdere Jason Dere added a comment -

          I think this looks fine. +1 if precommit run looks good.

          Show
          jdere Jason Dere added a comment - I think this looks fine. +1 if precommit run looks good.
          Hide
          thejas Thejas M Nair added a comment -

          Adding release notes for doc input.

          Show
          thejas Thejas M Nair added a comment - Adding release notes for doc input.

            People

            • Assignee:
              thejas Thejas M Nair
              Reporter:
              thejas Thejas M Nair
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development