Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Duplicate
-
1.4.0
-
None
-
None
Description
When user has no access to a particular database, he/she is still able to create permanent function in it.
For example, a role has no access to database "udf_test", as show by the "show databases" command:
+----------------+--+
| database_name |
+----------------+--+
| default |
+----------------+--+
However, this role can do the following two things:
0: jdbc:hive2://10.17.74.148:10000/default> create function udf_test.upper_test as 'com.elin.ToUpper';
No rows affected (0.216 seconds)
The jar file has been loaded into aux directory for Hive.
0: jdbc:hive2://10.17.74.148:10000/default> select udf_test.upper_test(code) from sample_07 limit 10; INFO : Number of reduce tasks is set to 0 since there's no reduce operator WARN : Hadoop command-line option parsing not performed. Implement the Tool interface and execute your application with ToolRunner to remedy this. INFO : number of splits:1 INFO : Submitting tokens for job: job_1434092815442_0004 INFO : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident: (HDFS_DELEGATION_TOKEN token 24 for hive) INFO : The url to track the job: http://host:8088/proxy/application_1434092815442_0004/ INFO : Starting Job = job_1434092815442_0004, Tracking URL = http://host:8088/proxy/application_1434092815442_0004/ INFO : Kill Command = /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job -kill job_1434092815442_0004 INFO : Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 0 INFO : 2015-06-19 17:04:48,003 Stage-1 map = 0%, reduce = 0% INFO : 2015-06-19 17:05:08,172 Stage-1 map = 100%, reduce = 0%, Cumulative CPU 3.16 sec INFO : MapReduce Total cumulative CPU time: 3 seconds 160 msec INFO : Ended Job = job_1434092815442_0004
This violates the sentry permission mechanism.
Attachments
Issue Links
- is related to
-
SENTRY-2240 User can DROP function under a database that he/she has no access
- Resolved