Preventing a Non-Administrative User from Installing Hooks

For a fresh install of EEP 6.1, a non-administrative user is prevented from installing hooks by default. For a minor version update (for example, EEP 6.0.0 to EEP 6.1.0 or EEP 5.0.1 to EEP 5.0.2), you need to modify the Hive configuration to prevent a malicious user from using Hive hooks to install malware on your Data Fabric cluster.

About this task

In general, a hook is a mechanism for intercepting events, messages, or function calls during processing. Hive hooks are a mechanism to tie into the internal workings of Hive without the need of re-compiling Hive. Hive hooks, in this sense, provide the ability to extend and integrate external functionality with Hive.
Any user using beeline can install Java code as a Hive hook. On HPE Data Fabric, these hooks run as the mapr user, which could represent a security vulnerability. To prevent a malicious user from using Hive hooks to install malware on a Data Fabric cluster, the cluster admin should add the following properties to the default value of hive.conf.restricted.list in the hive-site.xml file, and then restart HiveServer 2 (HS2):
  • hive.exec.pre.hooks
  • hive.exec.post.hooks
  • hive.exec.failure.hooks
  • hive.exec.query.redactor.hooks

Adding the properties prevents a non-admin user from installing hooks into Hive.

Procedure

  1. Add all hook-related properties to the default value of hive.conf.restricted.list in the hive-site.xml file:
    • Hive 2.3
    • Hive 2.1
    • hive.exec.pre.hooks
    • hive.exec.post.hooks
    • hive.exec.failure.hooks
    • hive.exec.query.redactor.hooks
    • hive.semantic.analyzer.hook
    • hive.query.lifetime.hooks
    • hive.exec.driver.run.hooks
    • hive.server2.session.hook
    • hive.exec.pre.hooks
    • hive.exec.post.hooks
    • hive.exec.failure.hooks
    • hive.exec.query.redactor.hooks
    • hive.semantic.analyzer.hook
    • hive.exec.driver.run.hooks
    • hive.server2.session.hook
  2. Make sure hive.conf.restricted.list configuration parameter already has a default value which contains:
    • Hive 2.3
    • Hive 2.1
    hive.security.authenticator.manager
hive.security.authorization.manager
Hive.security.metastore.authorization.manager
hive.security.metastore.authenticator.manager
Hive.users.in.admin.role,hive.server2.xsrf.filter.enabled
hive.security.authorization.enabled
hive.server2.authentication.ldap.baseDN
hive.server2.authentication.ldap.url
hive.server2.authentication.ldap.Domain
hive.server2.authentication.ldap.groupDNPattern
hive.server2.authentication.ldap.groupFilter
hive.server2.authentication.ldap.userDNPattern
hive.server2.authentication.ldap.userFilter
hive.server2.authentication.ldap.groupMembershipKey
hive.server2.authentication.ldap.userMembershipKey
hive.server2.authentication.ldap.groupClassKey
hive.server2.authentication.ldap.customLDAPQuery
    hive.security.authenticator.manager
hive.security.authorization.manager
hive.users.in.admin.role
hive.server2.xsrf.filter.enabled
  3. Add the default values already present in hive.conf.restricted.list to the hive-site.xml file:
    • Hive 2.3
    • Hive 2.1
    <property>
  <name>hive.conf.restricted.list</name>
  <value>
     hive.security.authenticator.manager,
     hive.security.authorization.manager,
     hive.security.metastore.authorization.manager,
     hive.security.metastore.authenticator.manager,
     hive.users.in.admin.role,hive.server2.xsrf.filter.enabled,
     hive.security.authorization.enabled,
     hive.server2.authentication.ldap.baseDN,
     hive.server2.authentication.ldap.url,
     hive.server2.authentication.ldap.Domain,
     hive.server2.authentication.ldap.groupDNPattern,
     hive.server2.authentication.ldap.groupFilter,
     hive.server2.authentication.ldap.userDNPattern,
     hive.server2.authentication.ldap.userFilter,
     hive.server2.authentication.ldap.groupMembershipKey,
     hive.server2.authentication.ldap.userMembershipKey,
     hive.server2.authentication.ldap.groupClassKey,
     hive.server2.authentication.ldap.customLDAPQuery,
     hive.exec.pre.hooks,
     hive.exec.post.hooks,
     hive.exec.failure.hooks,
     hive.exec.query.redactor.hooks,
     hive.semantic.analyzer.hook,
     hive.query.lifetime.hooks,
     hive.exec.driver.run.hooks,
     hive.server2.session.hook,
  </value>
</property>               
    <property>
  <name>hive.conf.restricted.list</name>
  <value>
     hive.security.authenticator.manager,
     hive.security.authorization.manager,
     hive.users.in.admin.role,
     hive.server2.xsrf.filter.enabled,
     hive.exec.pre.hooks,
     hive.exec.post.hooks,
     hive.exec.failure.hooks,
     hive.exec.query.redactor.hooks,
     hive.semantic.analyzer.hook,
     hive.exec.driver.run.hooks,
     hive.server2.session.hook,
  </value>
</property>
    NOTE
    Values of the hive.conf.restricted.list are split into separate lines for better readability. In the actual hive-site.xml file, no spaces or newlines exist between the commas.