Preventing a Non-Administrative User from Installing Hooks

For a fresh install of EEP 6.1, a non-administrative user is prevented from installing hooks by default. For a minor version update (for example, EEP 6.0.0 to EEP 6.1.0 or EEP 5.0.1 to EEP 5.0.2), you need to modify the Hive configuration to prevent a malicious user from using Hive hooks to install malware on your Data Fabric cluster.

About this task

In general, a hook is a mechanism for intercepting events, messages, or function calls during processing. Hive hooks are a mechanism to tie into the internal workings of Hive without the need of re-compiling Hive. Hive hooks, in this sense, provide the ability to extend and integrate external functionality with Hive.
Any user using beeline can install Java code as a Hive hook. On HPE Ezmeral Data Fabric, these hooks run as the mapr user, which could represent a security vulnerability. To prevent a malicious user from using Hive hooks to install malware on a Data Fabric cluster, the cluster admin should add the following properties to the default value of hive.conf.restricted.list in the hive-site.xml file, and then restart HiveServer 2 (HS2):
  • hive.exec.pre.hooks
  • hive.exec.post.hooks
  • hive.exec.failure.hooks
  • hive.exec.query.redactor.hooks

Adding the properties prevents a non-admin user from installing hooks into Hive.

Procedure

  1. Add all hook-related properties to the default value of hive.conf.restricted.list in the hive-site.xml file:
    • hive.exec.pre.hooks
    • hive.exec.post.hooks
    • hive.exec.failure.hooks
    • hive.exec.query.redactor.hooks
    • hive.semantic.analyzer.hook
    • hive.query.lifetime.hooks
    • hive.exec.driver.run.hooks
    • hive.server2.session.hook
    • hive.exec.pre.hooks
    • hive.exec.post.hooks
    • hive.exec.failure.hooks
    • hive.exec.query.redactor.hooks
    • hive.semantic.analyzer.hook
    • hive.exec.driver.run.hooks
    • hive.server2.session.hook
  2. Make sure hive.conf.restricted.list configuration parameter already has a default value which contains:
    hive.security.authenticator.manager
    hive.security.authorization.manager
    Hive.security.metastore.authorization.manager
    hive.security.metastore.authenticator.manager
    Hive.users.in.admin.role,hive.server2.xsrf.filter.enabled
    hive.security.authorization.enabled
    hive.server2.authentication.ldap.baseDN
    hive.server2.authentication.ldap.url
    hive.server2.authentication.ldap.Domain
    hive.server2.authentication.ldap.groupDNPattern
    hive.server2.authentication.ldap.groupFilter
    hive.server2.authentication.ldap.userDNPattern
    hive.server2.authentication.ldap.userFilter
    hive.server2.authentication.ldap.groupMembershipKey
    hive.server2.authentication.ldap.userMembershipKey
    hive.server2.authentication.ldap.groupClassKey
    hive.server2.authentication.ldap.customLDAPQuery
    hive.security.authenticator.manager
    hive.security.authorization.manager
    hive.users.in.admin.role
    hive.server2.xsrf.filter.enabled         
  3. Add the default values already present in hive.conf.restricted.list to the hive-site.xml file:
    <property>
      <name>hive.conf.restricted.list</name>
      <value>
         hive.security.authenticator.manager,
         hive.security.authorization.manager,
         hive.security.metastore.authorization.manager,
         hive.security.metastore.authenticator.manager,
         hive.users.in.admin.role,hive.server2.xsrf.filter.enabled,
         hive.security.authorization.enabled,
         hive.server2.authentication.ldap.baseDN,
         hive.server2.authentication.ldap.url,
         hive.server2.authentication.ldap.Domain,
         hive.server2.authentication.ldap.groupDNPattern,
         hive.server2.authentication.ldap.groupFilter,
         hive.server2.authentication.ldap.userDNPattern,
         hive.server2.authentication.ldap.userFilter,
         hive.server2.authentication.ldap.groupMembershipKey,
         hive.server2.authentication.ldap.userMembershipKey,
         hive.server2.authentication.ldap.groupClassKey,
         hive.server2.authentication.ldap.customLDAPQuery,
         hive.exec.pre.hooks,
         hive.exec.post.hooks,
         hive.exec.failure.hooks,
         hive.exec.query.redactor.hooks,
         hive.semantic.analyzer.hook,
         hive.query.lifetime.hooks,
         hive.exec.driver.run.hooks,
         hive.server2.session.hook,
      </value>
    </property>               
    <property>
      <name>hive.conf.restricted.list</name>
      <value>
         hive.security.authenticator.manager,
         hive.security.authorization.manager,
         hive.users.in.admin.role,
         hive.server2.xsrf.filter.enabled,
         hive.exec.pre.hooks,
         hive.exec.post.hooks,
         hive.exec.failure.hooks,
         hive.exec.query.redactor.hooks,
         hive.semantic.analyzer.hook,
         hive.exec.driver.run.hooks,
         hive.server2.session.hook,
      </value>
    </property>          
    NOTE
    Values of the hive.conf.restricted.list are split into separate lines for better readability. In the actual hive-site.xml file, no spaces or newlines exist between the commas.