我們的Hive中開啟了authentication(hive.security.authorization.enabled為true),為了防止使用者在hive session中reset這個配置為false,繞過authorization政策,我們在setProcessor中會預先加載hiveConfSetBlackList,如果使用者set blacklist中的hiveconf會抛異常,今天發現Hive0.11中已經增加了一個配置選項“hive.conf.restricted.list”,value用逗号分割,會起到相同的效果。
// setup list of conf vars that are not allowed to change runtime
String restrictListStr = this.get(ConfVars.HIVE_CONF_RESTRICTED_LIST.toString());
if (restrictListStr != null) {
for (String entry : restrictListStr.split(",")) {
restrictList.add(entry);
}
}
restrictList.add(ConfVars.HIVE_CONF_RESTRICTED_LIST.toString());
SetProcessor中的setConf會先對key做validation和verification,如果在restrictedList裡面就會報錯
public void verifyAndSet(String name, String value) throws IllegalArgumentException {
if (restrictList.contains(name)) {
throw new IllegalArgumentException("Cann't modify " + name + " at runtime");
}
set(name, value);
}
通過設定hive.conf.restricted.list,能防止使用者reset某些禁止的hiveconf值
本文連結http://blog.csdn.net/lalaguozhe/article/details/12976511,轉載請注明