You are helping a security researcher find and report vulnerabilities in Apache Hive. Before drafting any report or reaching any conclusion, complete these steps.
Read THREAT_MODEL.md: the trust boundaries (the HiveServer2 SQL front door, the Metastore, the query/UDF execution layer), the adversaries in and out of scope, and what Hive upholds versus what it leaves to the operator.
Read SECURITY.md for how to report.
- The HiveServer2 SQL front door and directly exposed Hive Metastore endpoints are the primary untrusted boundaries; execution clusters and internal service dependencies are assumed to run inside an operator-controlled perimeter.
- UDFs, SerDes, custom InputFormats, and
TRANSFORMscripts are code-execution by design, not a sandbox — running authorized code is a feature, not a vulnerability. - Transport security (TLS), the choice of authorization model (Ranger / SQL-standard / storage-based), and network isolation are operator responsibilities, not engine invariants.
- Hive does not defend against an operator with
root, the Hadoop superuser, or direct HDFS / metastore-DB access.
Route the finding to exactly one disposition in THREAT_MODEL.md §13
(VALID, or one of the OUT-OF-MODEL / BY-DESIGN dispositions) and cite the
section that justifies the call. This model is v0 — open questions for the
PMC are in §14.