[hive] branch master updated: HIVE-26765: Hive Ranger URL policy for insert overwrite directory denies access when fully qualified paths are passed (#3790) (Simhadri Govindappa, reviewed by Adam Szita)

szita Mon, 21 Nov 2022 04:09:15 -0800

This is an automated email from the ASF dual-hosted git repository.

szita pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git



The following commit(s) were added to refs/heads/master by this push:
     new aefc06da2af HIVE-26765: Hive Ranger URL policy for insert overwrite 
directory denies access when fully qualified paths are passed (#3790) (Simhadri 
Govindappa, reviewed by Adam Szita)
aefc06da2af is described below

commit aefc06da2afca008c81b8da7125eb08d45a39e29
Author: SimhadriGovindappa <[email protected]>
AuthorDate: Mon Nov 21 17:38:51 2022 +0530

    HIVE-26765: Hive Ranger URL policy for insert overwrite directory denies 
access when fully qualified paths are passed (#3790) (Simhadri Govindappa, 
reviewed by Adam Szita)
---
 .../src/java/org/apache/hadoop/hive/conf/HiveConf.java   |  4 +++-
 .../apache/hadoop/hive/ql/parse/SemanticAnalyzer.java    |  3 ++-
 .../fully_qualified_or_relative_location.q               | 10 ++++++++++
 .../llap/fully_qualified_or_relative_location.q.out      | 16 ++++++++++++++++
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 27fdddc47c9..6c802db02c0 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3487,7 +3487,9 @@ public class HiveConf extends Configuration {
         "When true it URL encodes the URI generated by HBaseStorageHandler for 
authorization. The URI consists of the" +
         "HBase table name, column family, etc. and may contain characters that 
need encoding, such as #. If set to " +
         "true, the corresponding Ranger policies need to be in URL encoded 
format too."),
-
+    HIVE_RANGER_USE_FULLY_QUALIFIED_URL("hive.ranger.use.fully.qualified.url", 
true, "When set to true,  fully " +
+            "qualified path will be used to validate against ranger url 
policies. When set to false relative path is used." +
+            "Cannot be modified at runtime."),
     // For Kudu storage handler
     HIVE_KUDU_MASTER_ADDRESSES_DEFAULT("hive.kudu.master.addresses.default", 
"localhost:7050",
         "Comma-separated list of all of the Kudu master addresses.\n" +
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java 
b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
index 50f2078a233..a3a4f3fc28e 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
@@ -7881,7 +7881,8 @@ public class SemanticAnalyzer extends 
BaseSemanticAnalyzer {
         loadFileDesc.setMoveTaskId(moveTaskId);
         loadFileWork.add(loadFileDesc);
         try {
-          Path qualifiedPath = 
destinationPath.getFileSystem(conf).makeQualified(destinationPath);
+          Path qualifiedPath = 
conf.getBoolVar(ConfVars.HIVE_RANGER_USE_FULLY_QUALIFIED_URL) ?
+                  
destinationPath.getFileSystem(conf).makeQualified(destinationPath) : 
destinationPath;
           if (!outputs.add(new WriteEntity(qualifiedPath, !isDfsDir, 
isDestTempFile))) {
             throw new 
SemanticException(ErrorMsg.OUTPUT_SPECIFIED_MULTIPLE_TIMES
                     .getMsg(destinationPath.toUri().toString()));
diff --git 
a/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q 
b/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q
new file mode 100644
index 00000000000..8b49c1d0f93
--- /dev/null
+++ b/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q
@@ -0,0 +1,10 @@
+--! qt:dataset:src
+
+SET hive.insert.into.multilevel.dirs=true;
+SET hive.output.file.extension=.txt;
+
+set hive.ranger.use.fully.qualified.url = true;
+INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src;
+
+set hive.ranger.use.fully.qualified.url = false;
+INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src;
diff --git 
a/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out
 
b/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out
new file mode 100644
index 00000000000..ba399b938d4
--- /dev/null
+++ 
b/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out
@@ -0,0 +1,16 @@
+PREHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* 
FROM src
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src
+#### A masked pattern was here ####
+POSTHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* 
FROM src
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src
+#### A masked pattern was here ####
+PREHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* 
FROM src
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src
+PREHOOK: Output: target/data/x/y/z
+POSTHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* 
FROM src
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src
+POSTHOOK: Output: target/data/x/y/z

[hive] branch master updated: HIVE-26765: Hive Ranger URL policy for insert overwrite directory denies access when fully qualified paths are passed (#3790) (Simhadri Govindappa, reviewed by Adam Szita)

Reply via email to