我们的Hive中开启了authentication(hive.security.authorization.enabled为true),为了防止用户在hive session中reset这个配置为false,绕过authorization策略,我们在setProcessor中会预先加载hiveConfSetBlackList,如果用户set blacklist中的hiveconf会抛异常,今天发现Hive0.11中已经增加了一个配置选项“hive.conf.restricted.list”,value用逗号分割,会起到相同的效果。
// setup list of conf vars that are not allowed to change runtime
String restrictListStr = this.get(ConfVars.HIVE_CONF_RESTRICTED_LIST.toString());
if (restrictListStr != null) {
for (String entry : restrictListStr.split(",")) {
restrictList.add(entry);
}
}
restrictList.add(ConfVars.HIVE_CONF_RESTRICTED_LIST.toString());SetProcessor中的setConf会先对key做validation和verification,如果在restrictedList里面就会报错
public void verifyAndSet(String name, String value) throws IllegalArgumentException {
if (restrictList.contains(name)) {
throw new IllegalArgumentException("Cann't modify " + name + " at runtime");
}
set(name, value);
}通过设置hive.conf.restricted.list,能防止用户reset某些禁止的hiveconf值
本文链接http://blog.csdn.net/lalaguozhe/article/details/12976511,转载请注明
