Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-781

User can run function under a database that he/she has no access



    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Duplicate
    • 1.4.0
    • None
    • Hive Plugin
    • None


      When user has no access to a particular database, he/she is still able to create permanent function in it.

      For example, a role has no access to database "udf_test", as show by the "show databases" command:

      | database_name  |
      | default        |

      However, this role can do the following two things:

      0: jdbc:hive2://> create function udf_test.upper_test as 'com.elin.ToUpper';
      No rows affected (0.216 seconds)

      The jar file has been loaded into aux directory for Hive.

      0: jdbc:hive2://> select udf_test.upper_test(code) from sample_07 limit 10;
      INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
      WARN  : Hadoop command-line option parsing not performed. Implement the Tool interface and execute your application with ToolRunner to remedy this.
      INFO  : number of splits:1
      INFO  : Submitting tokens for job: job_1434092815442_0004
      INFO  : Kind: HDFS_DELEGATION_TOKEN, Service:, Ident: (HDFS_DELEGATION_TOKEN token 24 for hive)
      INFO  : The url to track the job: http://host:8088/proxy/application_1434092815442_0004/
      INFO  : Starting Job = job_1434092815442_0004, Tracking URL = http://host:8088/proxy/application_1434092815442_0004/
      INFO  : Kill Command = /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job  -kill job_1434092815442_0004
      INFO  : Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 0
      INFO  : 2015-06-19 17:04:48,003 Stage-1 map = 0%,  reduce = 0%
      INFO  : 2015-06-19 17:05:08,172 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU 3.16 sec
      INFO  : MapReduce Total cumulative CPU time: 3 seconds 160 msec
      INFO  : Ended Job = job_1434092815442_0004

      This violates the sentry permission mechanism.


        Issue Links



              arjunmishra13 Arjun Mishra
              ericlin Eric Lin
              2 Vote for this issue
              4 Start watching this issue