Securing Iceberg table data

Learn how to prevent Hive and Impala from reading data files from an Iceberg table that are outside of the table location.

An unauthorized user who knows the underlying file layout of a table can gain access to the data in an Iceberg table in the following way:

User1 owns a table, table1, which User2 does not have permission to read. However, User2 could execute an attack as follows: User2 creates a new table, table2, to which they have access rights. User2 then modifies the metadata files of their own table (table2) to reference data files from User1’s table (table1), effectively including these files as part of table2. By accessing their own table (table2), User2 can then read the data files that belong to User1’s table (table1).

You can prevent this by configuring Hive and Impala to prevent reading data files that are outside of the Iceberg table location.

Hive

Add the following property to HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site.xml and set the value to "true":

hive.iceberg.allow.datafiles.in.table.location.only

Impala

Ensure that the following Impala startup flag is set to "true". The value of this flag is set to true by default.

iceberg_allow_datafiles_in_table_location_only