Preventing a Non-Administrative User from Installing Hooks
For a fresh install of EEP 6.1, a non-administrative user is prevented from installing hooks by default. For a minor version update (for example, EEP 6.0.0 to EEP 6.1.0 or EEP 5.0.1 to EEP 5.0.2), you need to modify the Hive configuration to prevent a malicious user from using Hive hooks to install malware on your Data Fabric cluster.
About this task
Any user using beeline can install
Java code as a Hive hook. On HPE Ezmeral Data Fabric, these hooks run
as the
mapr
user, which could represent a security vulnerability. To
prevent a malicious user from using Hive hooks to install malware on a Data Fabric cluster, the cluster admin should add the following
properties to the default value of hive.conf.restricted.list
in the
hive-site.xml
file, and then restart HiveServer 2 (HS2):hive.exec.pre.hooks
hive.exec.post.hooks
hive.exec.failure.hooks
hive.exec.query.redactor.hooks
Adding the properties prevents a non-admin user from installing hooks into Hive.
Procedure
-
Add all hook-related properties to the default value of
hive.conf.restricted.list
in thehive-site.xml
file:hive.exec.pre.hooks
hive.exec.post.hooks
hive.exec.failure.hooks
hive.exec.query.redactor.hooks
hive.semantic.analyzer.hook
hive.query.lifetime.hooks
hive.exec.driver.run.hooks
hive.server2.session.hook
hive.exec.pre.hooks
hive.exec.post.hooks
hive.exec.failure.hooks
hive.exec.query.redactor.hooks
hive.semantic.analyzer.hook
hive.exec.driver.run.hooks
hive.server2.session.hook
-
Make sure
hive.conf.restricted.list
configuration parameter already has a default value which contains:hive.security.authenticator.manager hive.security.authorization.manager Hive.security.metastore.authorization.manager hive.security.metastore.authenticator.manager Hive.users.in.admin.role,hive.server2.xsrf.filter.enabled hive.security.authorization.enabled hive.server2.authentication.ldap.baseDN hive.server2.authentication.ldap.url hive.server2.authentication.ldap.Domain hive.server2.authentication.ldap.groupDNPattern hive.server2.authentication.ldap.groupFilter hive.server2.authentication.ldap.userDNPattern hive.server2.authentication.ldap.userFilter hive.server2.authentication.ldap.groupMembershipKey hive.server2.authentication.ldap.userMembershipKey hive.server2.authentication.ldap.groupClassKey hive.server2.authentication.ldap.customLDAPQuery
hive.security.authenticator.manager hive.security.authorization.manager hive.users.in.admin.role hive.server2.xsrf.filter.enabled
-
Add the default values already present in
hive.conf.restricted.list
to thehive-site.xml
file:<property> <name>hive.conf.restricted.list</name> <value> hive.security.authenticator.manager, hive.security.authorization.manager, hive.security.metastore.authorization.manager, hive.security.metastore.authenticator.manager, hive.users.in.admin.role,hive.server2.xsrf.filter.enabled, hive.security.authorization.enabled, hive.server2.authentication.ldap.baseDN, hive.server2.authentication.ldap.url, hive.server2.authentication.ldap.Domain, hive.server2.authentication.ldap.groupDNPattern, hive.server2.authentication.ldap.groupFilter, hive.server2.authentication.ldap.userDNPattern, hive.server2.authentication.ldap.userFilter, hive.server2.authentication.ldap.groupMembershipKey, hive.server2.authentication.ldap.userMembershipKey, hive.server2.authentication.ldap.groupClassKey, hive.server2.authentication.ldap.customLDAPQuery, hive.exec.pre.hooks, hive.exec.post.hooks, hive.exec.failure.hooks, hive.exec.query.redactor.hooks, hive.semantic.analyzer.hook, hive.query.lifetime.hooks, hive.exec.driver.run.hooks, hive.server2.session.hook, </value> </property>
<property> <name>hive.conf.restricted.list</name> <value> hive.security.authenticator.manager, hive.security.authorization.manager, hive.users.in.admin.role, hive.server2.xsrf.filter.enabled, hive.exec.pre.hooks, hive.exec.post.hooks, hive.exec.failure.hooks, hive.exec.query.redactor.hooks, hive.semantic.analyzer.hook, hive.exec.driver.run.hooks, hive.server2.session.hook, </value> </property>
NOTEValues of thehive.conf.restricted.list
are split into separate lines for better readability. In the actualhive-site.xml
file, no spaces or newlines exist between the commas.