Preventing a Non-Administrative User from Installing Hooks

For a fresh install of EEP 6.1, a non-administrative user is prevented from installing hooks by default. For a minor version update (for example, EEP 6.0.0 to EEP 6.1.0 or EEP 5.0.1 to EEP 5.0.2), you need to modify the Hive configuration to prevent a malicious user from using Hive hooks to install malware on your Data Fabric cluster.

About this task

In general, a hook is a mechanism for intercepting events, messages, or function calls during processing. Hive hooks are a mechanism to tie into the internal workings of Hive without the need of re-compiling Hive. Hive hooks, in this sense, provide the ability to extend and integrate external functionality with Hive.

Any user using beeline can install Java code as a Hive hook. On HPE Ezmeral Data Fabric, these hooks run as the mapr user, which could represent a security vulnerability. To prevent a malicious user from using Hive hooks to install malware on a Data Fabric cluster, the cluster admin should add the following properties to the default value of hive.conf.restricted.list in the hive-site.xml file, and then restart HiveServer 2 (HS2):

hive.exec.pre.hooks
hive.exec.post.hooks
hive.exec.failure.hooks
hive.exec.query.redactor.hooks

Adding the properties prevents a non-admin user from installing hooks into Hive.

Procedure

Add all hook-related properties to the default value of hive.conf.restricted.list in the hive-site.xml file:
- hive.exec.pre.hooks
- hive.exec.post.hooks
- hive.exec.failure.hooks
- hive.exec.query.redactor.hooks
- hive.semantic.analyzer.hook
- hive.query.lifetime.hooks
- hive.exec.driver.run.hooks
- hive.server2.session.hook
- hive.exec.pre.hooks
- hive.exec.post.hooks
- hive.exec.failure.hooks
- hive.exec.query.redactor.hooks
- hive.semantic.analyzer.hook
- hive.exec.driver.run.hooks
- hive.server2.session.hook

Make sure hive.conf.restricted.list configuration parameter already has a default value which contains:

hive.security.authenticator.manager
hive.security.authorization.manager
Hive.security.metastore.authorization.manager
hive.security.metastore.authenticator.manager
Hive.users.in.admin.role,hive.server2.xsrf.filter.enabled
hive.security.authorization.enabled
hive.server2.authentication.ldap.baseDN
hive.server2.authentication.ldap.url
hive.server2.authentication.ldap.Domain
hive.server2.authentication.ldap.groupDNPattern
hive.server2.authentication.ldap.groupFilter
hive.server2.authentication.ldap.userDNPattern
hive.server2.authentication.ldap.userFilter
hive.server2.authentication.ldap.groupMembershipKey
hive.server2.authentication.ldap.userMembershipKey
hive.server2.authentication.ldap.groupClassKey
hive.server2.authentication.ldap.customLDAPQuery

hive.security.authenticator.manager
hive.security.authorization.manager
hive.users.in.admin.role
hive.server2.xsrf.filter.enabled

Add the default values already present in hive.conf.restricted.list to the hive-site.xml file:

<property>
  <name>hive.conf.restricted.list</name>
  <value>
     hive.security.authenticator.manager,
     hive.security.authorization.manager,
     hive.security.metastore.authorization.manager,
     hive.security.metastore.authenticator.manager,
     hive.users.in.admin.role,hive.server2.xsrf.filter.enabled,
     hive.security.authorization.enabled,
     hive.server2.authentication.ldap.baseDN,
     hive.server2.authentication.ldap.url,
     hive.server2.authentication.ldap.Domain,
     hive.server2.authentication.ldap.groupDNPattern,
     hive.server2.authentication.ldap.groupFilter,
     hive.server2.authentication.ldap.userDNPattern,
     hive.server2.authentication.ldap.userFilter,
     hive.server2.authentication.ldap.groupMembershipKey,
     hive.server2.authentication.ldap.userMembershipKey,
     hive.server2.authentication.ldap.groupClassKey,
     hive.server2.authentication.ldap.customLDAPQuery,
     hive.exec.pre.hooks,
     hive.exec.post.hooks,
     hive.exec.failure.hooks,
     hive.exec.query.redactor.hooks,
     hive.semantic.analyzer.hook,
     hive.query.lifetime.hooks,
     hive.exec.driver.run.hooks,
     hive.server2.session.hook,
  </value>
</property>

<property>
  <name>hive.conf.restricted.list</name>
  <value>
     hive.security.authenticator.manager,
     hive.security.authorization.manager,
     hive.users.in.admin.role,
     hive.server2.xsrf.filter.enabled,
     hive.exec.pre.hooks,
     hive.exec.post.hooks,
     hive.exec.failure.hooks,
     hive.exec.query.redactor.hooks,
     hive.semantic.analyzer.hook,
     hive.exec.driver.run.hooks,
     hive.server2.session.hook,
  </value>
</property>

NOTE

Values of the hive.conf.restricted.list are split into separate lines for better readability. In the actual hive-site.xml file, no spaces or newlines exist between the commas.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0