Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-1694

Hive/Sentry plugin doesn't check URI effectiveness when calling GRANT

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.7.0
    • Fix Version/s: None
    • Component/s: Hive Plugin
    • Labels:
      None

      Description

      Sentry doesn't check URI effectiveness when executing GRANT commands on Hive, even though it requires full URI path in HDFS.

      GRANT is allowing users to provide any invalid URI paths, like below:

      GRANT ALL ON URI "hdfs://hdfs://localhost:8020:8020///tmp/myjar.jar" TO ROLE role1"
      

      If the user attempts to create a function from the correct URI, then Sentry won't find the URI and it will fail with a permission denied.

      Error: Error while compiling statement: FAILED: SemanticException No valid privileges
      User sergio does not have privileges for CREATEFUNCTION
      The required privileges: Server=server1->URI=hdfs://localhost:8020/tmp/myjar.jar->action=*; (state=42000,code=40000)
      

      I noticed that the Hive/Sentry plugin checks if the URI is normalized during the CREATE FUNCTION command. If not, it will skip it and continue with other available URI.

      I think we should apply the same normalization check during the GRANT to at least alert the user that URI might be wrong.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              spena Sergio Peña
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: