HIVE-26765: Hive Ranger URL policy for insert overwrite directory den…

…ies access when fully qualified paths are passed (apache#3790) (Simhadri Govindappa, reviewed by Adam Szita) (cherry picked from commit aefc06d)
DongWei-4 · Dec 29, 2022 · fe807f9 · fe807f9
1 parent 0d677c2
commit fe807f9
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 2 deletions.
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3487,7 +3487,9 @@ public static enum ConfVars {
         "When true it URL encodes the URI generated by HBaseStorageHandler for authorization. The URI consists of the" +
         "HBase table name, column family, etc. and may contain characters that need encoding, such as #. If set to " +
         "true, the corresponding Ranger policies need to be in URL encoded format too."),
-
+    HIVE_RANGER_USE_FULLY_QUALIFIED_URL("hive.ranger.use.fully.qualified.url", true, "When set to true,  fully " +
+            "qualified path will be used to validate against ranger url policies. When set to false relative path is used." +
+            "Cannot be modified at runtime."),
     // For Kudu storage handler
     HIVE_KUDU_MASTER_ADDRESSES_DEFAULT("hive.kudu.master.addresses.default", "localhost:7050",
         "Comma-separated list of all of the Kudu master addresses.\n" +

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
@@ -7881,7 +7881,8 @@ protected Operator genFileSinkPlan(String dest, QB qb, Operator input)
         loadFileDesc.setMoveTaskId(moveTaskId);
         loadFileWork.add(loadFileDesc);
         try {
-          Path qualifiedPath = destinationPath.getFileSystem(conf).makeQualified(destinationPath);
+          Path qualifiedPath = conf.getBoolVar(ConfVars.HIVE_RANGER_USE_FULLY_QUALIFIED_URL) ?
+                  destinationPath.getFileSystem(conf).makeQualified(destinationPath) : destinationPath;
           if (!outputs.add(new WriteEntity(qualifiedPath, !isDfsDir, isDestTempFile))) {
             throw new SemanticException(ErrorMsg.OUTPUT_SPECIFIED_MULTIPLE_TIMES
                     .getMsg(destinationPath.toUri().toString()));

diff --git a/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q b/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q
@@ -0,0 +1,10 @@
+--! qt:dataset:src
+
+SET hive.insert.into.multilevel.dirs=true;
+SET hive.output.file.extension=.txt;
+
+set hive.ranger.use.fully.qualified.url = true;
+INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src;
+
+set hive.ranger.use.fully.qualified.url = false;
+INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src;
diff --git a/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out b/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out
@@ -0,0 +1,16 @@
+PREHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src
+#### A masked pattern was here ####
+POSTHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src
+#### A masked pattern was here ####
+PREHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src
+PREHOOK: Output: target/data/x/y/z
+POSTHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src
+POSTHOOK: Output: target/data/x/y/z