[HUE-1373] HUE ignores Hive authorization layer - Cloudera Open Source

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.0
Fix Version/s: 3.5.0
Component/s: con.hive
Labels:
- authorization
- besswax
- create
- grants
- hive
- owner
- security
- table
Environment:

SUSE Enterprise Linux 11 SP2, Cloudera CDH 4.2.1

Description

Picture the following scenario.

First, create a database, a table.

Second, grant ALTER, UPDATE, DROP, and SELECT for user FOO, on OS group 122
Third, grant ALTER, SELECT, and UPDATE privileges for user BAR, on OS group 128.

If we try to drop table with user BAR, we succeed.

SQL commands used for this example:

1. DROP Test, Hive interface

---- FOO user, belonging to OS group 122
hive> CREATE TABLE log(dia INT, mes INT, anyo INT) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
OK
Time taken: 1.705 seconds
hive> grant alter,update,drop,select on table log to user FOO;
OK
Time taken: 0.167 seconds
hive> grant alter,update,select on table log to user BAR;
OK
Time taken: 0.119 seconds
hive>

----BAR user, belonging to OS group 128
hive> select * from log;
OK
Time taken: 2.314 seconds
hive>drop table log;
Authorization failed:No privilege 'Drop' found for outputs

{ database:default, table:log}

. Use show grant to get more details.
hive>

-------------------------------------------

With Hive, and Besswax, configured Hive Configuration Safety Valve, with the following values:

<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>

<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Lorenzo Ramírez Hernández

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

10/Jul/13 8:26 AM

Updated:

09/May/16 7:52 PM

Resolved:

12/Nov/13 11:14 PM