Hue permissions issue

edoardo91 · ‎11-09-2018

Hello,

I notice a strange security behaviour of the Hue service:
when I remove the beeswax or Impala permission from a particular Hue group, the tab in the Hue web page header disappear and thi is correct.

The problem is that knowing the URL, so just adding
- https://hue_url/notebook/editor?type=hive or
- https://hue_url/notebook/editor?type=impala
everyone can reach the Hive/Impala Hue web page and execute any queries they want.

Is that normal? Does a solution exist to fix this security issue?

Thank you,

Edoardo

Tomas79 · ‎11-09-2018

I dont think it is a big security issue, because Hue does not run the queries under system account, and impersonates the users. So you can remove all select permissions from the group in Sentry, and the hive/impala editor will not be an issue.
But I admin, that Hue should not allow the functionality by a simple URL change

edoardo91 · ‎11-10-2018

Yes, I agree with you, it is not a big security issue and you can handle the group permissions in Sentry.

But in my particular case I do not want to remove all the permission for that group using Sentry, because I permit the group to see the data with other tools.
I just want to block the use of Hue for that group.

Do you know if it is possible someway?