Patch for SENTRY-2240 – DROP UDF Permission Issue in Sentry

Last week, I have discovered an issue in Sentry that it does not check permissions properly when a user is trying to DROP a function. To re-produce this is easy, simply create a function under a database using admin account, and make sure that one particular user does not have ANY permissions on the database that the UDF was created under. Then, try to use that user to DROP the function.

I immediately checked if there is any upstream JIRA reported, but I was not able to find any, hence I filed a new JIRA, please see SENTRY-2240.

I have done some patches before for Sqoop and Hive, however, I have not done any for Sentry yet, so I think this JIRA is a good one to start. I went ahead to check out Sentry code from github, examined through the code to see what was wrong and could see that for CREATE and DROP FUNCTION calls, Sentry does not care what database the user was under:

HiveAuthzBindingHook.java#L226
HiveAuthzBindingHook.java#L230

      case HiveParser.TOK_CREATEFUNCTION:
        ........

        // create/drop function is allowed with any database
        currDB = Database.ALL;
        break;
      case HiveParser.TOK_DROPFUNCTION:
        // create/drop function is allowed with any database
        currDB = Database.ALL;
        break;

I have spent last weekend thinking about and applying fixes and also updating test cases that are affected. I have forked into my repository and created a branch to track my changes until final version. Please refer to https://github.com/ericlin05/sentry/tree/SENTRY-2240.

If you have any comments on my patch or want to discuss it, please add your comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *