[feature][CGS][entrance] add support for controlling location clause usage in Hive tasks for security #5357
Description
Search before asking
- I had searched in the issues and found no similar feature requirement.
Problem Description
Currently, Hive tasks can use the LOCATION clause to specify custom data locations. This poses security risks as it allows users to potentially access unauthorized data paths or interfere with other users'\ data, compromising system security and data isolation.
Description
This PR adds a configuration option to control whether Hive tasks are allowed to use the LOCATION clause. When enabled, the system will detect and block SQL statements containing the LOCATION clause in Hive tasks.
Use case
Administrators want to prevent users from using the LOCATION clause in Hive tasks to enhance system security by ensuring users cannot access unauthorized data paths or interfere with other users'\ data through custom location specifications.
Solutions
- Add configuration
linkis.entrance.sql.explain.hive.location.control.enabledto enable/disable LOCATION clause validation - Implement LOCATION clause detection in Explain interceptor for Hive tasks
- Throw exception when LOCATION clause is detected in Hive SQL and control is enabled
- Add comprehensive unit tests for LOCATION control logic
Anything else
Affected module: linkis-computation-governance/linkis-entrance
Configuration: linkis.entrance.sql.explain.hive.location.control.enabled (default: false)
Are you willing to submit a PR?
- Yes I am willing to submit a PR!