Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-781

User can run function under a database that he/she has no access

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 1.4.0
    • Fix Version/s: None
    • Component/s: Hive Plugin
    • Labels:
      None

      Description

      When user has no access to a particular database, he/she is still able to create permanent function in it.

      For example, a role has no access to database "udf_test", as show by the "show databases" command:

      +----------------+--+
      | database_name  |
      +----------------+--+
      | default        |
      +----------------+--+
      

      However, this role can do the following two things:

      0: jdbc:hive2://10.17.74.148:10000/default> create function udf_test.upper_test as 'com.elin.ToUpper';
      No rows affected (0.216 seconds)
      

      The jar file has been loaded into aux directory for Hive.

      0: jdbc:hive2://10.17.74.148:10000/default> select udf_test.upper_test(code) from sample_07 limit 10;
      INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
      WARN  : Hadoop command-line option parsing not performed. Implement the Tool interface and execute your application with ToolRunner to remedy this.
      INFO  : number of splits:1
      INFO  : Submitting tokens for job: job_1434092815442_0004
      INFO  : Kind: HDFS_DELEGATION_TOKEN, Service: 10.17.74.148:8020, Ident: (HDFS_DELEGATION_TOKEN token 24 for hive)
      INFO  : The url to track the job: http://host:8088/proxy/application_1434092815442_0004/
      INFO  : Starting Job = job_1434092815442_0004, Tracking URL = http://host:8088/proxy/application_1434092815442_0004/
      INFO  : Kill Command = /opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p767.429/lib/hadoop/bin/hadoop job  -kill job_1434092815442_0004
      INFO  : Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 0
      INFO  : 2015-06-19 17:04:48,003 Stage-1 map = 0%,  reduce = 0%
      INFO  : 2015-06-19 17:05:08,172 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU 3.16 sec
      INFO  : MapReduce Total cumulative CPU time: 3 seconds 160 msec
      INFO  : Ended Job = job_1434092815442_0004
      

      This violates the sentry permission mechanism.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                arjunmishra13 Arjun Mishra
                Reporter:
                ericlin Eric Lin
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: