HIVE-29671: Harden Schema path authorization for avro serde#6549
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens Avro SerDe schema resolution by restricting/validating avro.schema.url schemes (and optionally allowlisting HTTP hosts), and extends Hive authorization plumbing so filesystem-based schema URLs are authorized as DFS_URI inputs during create/alter and query-time reads.
Changes:
- Add scheme/host validation for
avro.schema.url, disable remote HTTP fetch by default, and materialize resolved schemas intoavro.schema.literal. - Enrich authorization inputs to include filesystem-backed Avro schema URLs (metastore events + query authorization paths).
- Add new HiveConf knobs and expand unit/integration test coverage for the new behavior.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
serde/src/java/org/apache/hadoop/hive/serde2/avro/AvroSerdeUtils.java |
Validates schema URL scheme/host and changes how schemas are fetched/materialized. |
serde/src/test/org/apache/hadoop/hive/serde2/avro/TestAvroSerdeUtils.java |
Adds tests for scheme/host validation and schema materialization. |
common/src/java/org/apache/hadoop/hive/conf/HiveConf.java |
Introduces new config vars for allowed schemes and remote HTTP settings/allowlist. |
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java |
Adds helpers to derive/authorize filesystem schema URL inputs on reads. |
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java |
Enriches read inputs before privilege checks to include schema URL entities. |
ql/src/java/org/apache/hadoop/hive/ql/plan/PlanUtils.java |
Hooks input addition to also add schema URL read entities. |
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java |
Adds DFS_URI privilege objects for Avro avro.schema.url at create time. |
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterTableEvent.java |
Adds DFS_URI privilege objects for updated Avro avro.schema.url at alter time. |
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/TestAvroSchemaUrlAuthorizationUtils.java |
New unit tests for schema URL authorization utilities. |
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java |
Adds/adjusts metastore authorizer tests for DFS_URI objects from schema URLs. |
ql/src/test/results/clientpositive/llap/compustat_avro.q.out |
Updates golden output masking lines affected by input changes. |
ql/src/test/results/clientpositive/llap/avro_extschema_insert.q.out |
Updates golden output masking lines affected by input changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@dengzhhu653 - Can you review this? Tests are finally green after many flaky runs. |
| if (!AvroSerdeUtils.isFilesystemSchemaUrl(schemaUrl)) { | ||
| return; | ||
| } | ||
| if (!needDFSUriAuth(schemaUrl, getDefaultTablePath(database, table))) { |
There was a problem hiding this comment.
this schemaUrl shouldn't be the same as table's location,
| if (schemaUrl == null) { | ||
| return; | ||
| } | ||
| if (!needDFSUriAuth(schemaUrl, getDefaultTablePath(database, table))) { |
There was a problem hiding this comment.
why do we check the schemaUrl against the getDefaultTablePath(database, table), they are different
|



What changes were proposed in this pull request?
Why are the changes needed?
Does this PR introduce any user-facing change?
How was this patch tested?