Security risks of Hive user-defined functions

Learn about security risks associated with the GenericUDFReflect class and how to restrict Hive user-defined functions (UDFs) to prevent unauthorized code execution or HDFS data exposure.

Hive UDFs support custom data processing, but granting incorrect UDF privileges exposes the Hive service to security vulnerabilities.

Risks of the TEMPUDFADMIN privilege

The TEMPUDFADMIN privilege allows you to create and invoke temporary functions without additional controls. Because temporary functions can be named differently than the blacklisted UDFs (hive.server2.builtin.udf.blacklist) they can bypass these restrictions, a user with this privilege can execute arbitrary code under the Hive service user. This access might lead to the exposure of sensitive HDFS data or the unauthorized use of the Hive Kerberos ticket.

Risks of the SELECT privilege

The SELECT privilege on a function acts as a safety gate.If you grant SELECT access to a function that points to malicious or risky code, you can inadvertently give a user access to sensitive data. Cloudera recommends that Ranger administrators review the function class and underlying code before granting this privilege.