From 6cd08c285a215854929188f4b83af30affa57832 Mon Sep 17 00:00:00 2001
From: SimhadriG <simhadri.govindappa@cloudera.com>
Date: Sun, 20 Nov 2022 08:07:16 +0530
Subject: [PATCH] HIVE-26765: Hive Ranger URL policy for insert overwrite
 directory denies access when fully qualified paths are passed

---
 .../org/apache/hadoop/hive/conf/HiveConf.java    |  4 +++-
 .../hadoop/hive/ql/parse/SemanticAnalyzer.java   |  3 ++-
 .../fully_qualified_or_relative_location.q       | 10 ++++++++++
 .../fully_qualified_or_relative_location.q.out   | 16 ++++++++++++++++
 4 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q
 create mode 100644 ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 12688c3f0fe1..bd21d5cb3aa7 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3487,7 +3487,9 @@ public static enum ConfVars {
         "When true it URL encodes the URI generated by HBaseStorageHandler for authorization. The URI consists of the" +
         "HBase table name, column family, etc. and may contain characters that need encoding, such as #. If set to " +
         "true, the corresponding Ranger policies need to be in URL encoded format too."),
-
+    HIVE_RANGER_USE_FULLY_QUALIFIED_URL("hive.ranger.use.fully.qualified.url", true, "When set to true,  fully " +
+            "qualified path will be used to validate against ranger url policies. When set to false relative path is used." +
+            "Cannot be modified at runtime."),
     // For Kudu storage handler
     HIVE_KUDU_MASTER_ADDRESSES_DEFAULT("hive.kudu.master.addresses.default", "localhost:7050",
         "Comma-separated list of all of the Kudu master addresses.\n" +
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
index 0f07fa4dbd4b..bdda1aa55105 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
@@ -7850,7 +7850,8 @@ protected Operator genFileSinkPlan(String dest, QB qb, Operator input)
         loadFileDesc.setMoveTaskId(moveTaskId);
         loadFileWork.add(loadFileDesc);
         try {
-          Path qualifiedPath = destinationPath.getFileSystem(conf).makeQualified(destinationPath);
+          Path qualifiedPath = conf.getBoolVar(ConfVars.HIVE_RANGER_USE_FULLY_QUALIFIED_URL) ?
+                  destinationPath.getFileSystem(conf).makeQualified(destinationPath) : destinationPath;
           if (!outputs.add(new WriteEntity(qualifiedPath, !isDfsDir, isDestTempFile))) {
             throw new SemanticException(ErrorMsg.OUTPUT_SPECIFIED_MULTIPLE_TIMES
                     .getMsg(destinationPath.toUri().toString()));
diff --git a/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q b/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q
new file mode 100644
index 000000000000..8b49c1d0f931
--- /dev/null
+++ b/ql/src/test/queries/clientpositive/fully_qualified_or_relative_location.q
@@ -0,0 +1,10 @@
+--! qt:dataset:src
+
+SET hive.insert.into.multilevel.dirs=true;
+SET hive.output.file.extension=.txt;
+
+set hive.ranger.use.fully.qualified.url = true;
+INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src;
+
+set hive.ranger.use.fully.qualified.url = false;
+INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src;
diff --git a/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out b/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out
new file mode 100644
index 000000000000..ba399b938d4a
--- /dev/null
+++ b/ql/src/test/results/clientpositive/llap/fully_qualified_or_relative_location.q.out
@@ -0,0 +1,16 @@
+PREHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src
+#### A masked pattern was here ####
+POSTHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src
+#### A masked pattern was here ####
+PREHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src
+PREHOOK: Output: target/data/x/y/z
+POSTHOOK: query: INSERT OVERWRITE DIRECTORY 'target/data/x/y/z/' SELECT src.* FROM src
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src
+POSTHOOK: Output: target/data/x/y/z