From 7fe104a0815ce30651173829aa7dae71a574fcd4 Mon Sep 17 00:00:00 2001
From: Ramesh Mani <rmani@apache.org>
Date: Tue, 16 Dec 2025 11:39:40 -0800
Subject: [PATCH 1/3] RANGER-5424:Hive Insert command failed in Ranger Docker
 setup due to authentication and authorization issue

---
 .../scripts/admin/create-ranger-services.py   |  4 +
 .../scripts/hive/ranger-hive-setup.sh         | 80 +++++++++++++------
 2 files changed, 61 insertions(+), 23 deletions(-)

diff --git a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py
index 28ea034293..23aca395e4 100644
--- a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py
+++ b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py
@@ -21,6 +21,10 @@ def service_not_exists(service):
                                   'policy.download.auth.users': 'hdfs',
                                   'tag.download.auth.users': 'hdfs',
                                   'userstore.download.auth.users': 'hdfs',
+                                  'default-policy.1.name': 'hive-tez-path',
+                                  'default-policy.1.resource.path': '/*,/tmp',
+                                  'default-policy.1.policyItem.1.users': 'hive',
+                                  'default-policy.1.policyItem.1.accessTypes': 'read,write,execute',
                                   'ranger.plugin.hdfs.policy.refresh.synchronous':'true'}})
 
 hive = RangerService({'name': 'dev_hive', 'type': 'hive',
diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
index bacf00400f..a68e3e33ed 100755
--- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
+++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
@@ -139,32 +139,66 @@ cp ${HADOOP_HOME}/etc/hadoop/yarn-site.xml ${HIVE_HOME}/conf/
 cp ${TEZ_HOME}/conf/tez-site.xml ${HIVE_HOME}/conf/
 
 # Upload Tez libraries to HDFS
-su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs
-
-# Recreate Tez tarball if it doesn't exist (it gets removed during Docker build)
-if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
-    echo "Recreating Tez tarball for HDFS upload..."
-    cd /opt
-    tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
+if [ "${KERBEROS_ENABLED}" == "true" ]; then
+    echo "Kerberos enabled - authenticating as hive user..."
+    su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hive
+
+    # Recreate Tez tarball if it doesn't exist
+    if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
+        echo "Recreating Tez tarball for HDFS upload..."
+        cd /opt
+        tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
+    fi
+
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hive
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hive
+    su -c "kdestroy" hive
+else
+    # Non-Kerberos mode - use hdfs user
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs
+
+    # Recreate Tez tarball if it doesn't exist (it gets removed during Docker build)
+    if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
+        echo "Recreating Tez tarball for HDFS upload..."
+        cd /opt
+        tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
+    fi
+
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs
 fi
 
-su -c "${HADOOP_HOME}/bin/hdfs dfs -put /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs
-
 # Create HDFS user directory for hive
-su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs
-
-# Create HDFS /tmp/hive directory for Tez staging
-su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs
-
-# Fix /tmp directory permissions for Ranger (critical for INSERT operations)
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs
-
-# Create /user/root directory for YARN job execution
-su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs
-su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs
+if [ "${KERBEROS_ENABLED}" == "true" ]; then
+    su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hive
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hive
+
+    # Create HDFS /tmp/hive directory for Tez staging
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hive
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hive
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hive
+
+    # Create /user/root directory for YARN job execution
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hive
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hive
+    su -c "kdestroy" hive
+else
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs
+
+    # Create HDFS /tmp/hive directory for Tez staging
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs
+
+    # Fix /tmp directory permissions for Ranger (critical for INSERT operations)
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs
+
+    # Create /user/root directory for YARN job execution
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs
+    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs
+fi
 
 # Initialize Hive schema
 su -c "${HIVE_HOME}/bin/schematool -dbType ${RANGER_DB_TYPE} -initSchema" hive

From 6d06e780c677e5f13882957c5735865aa91deeab Mon Sep 17 00:00:00 2001
From: Ramesh Mani <rmani@apache.org>
Date: Wed, 17 Dec 2025 09:30:33 -0800
Subject: [PATCH 2/3] RANGER-5424:Hive Insert command failed in Ranger Docker
 setup due to authentication and authorization issue - review comment fix

---
 .../scripts/admin/create-ranger-services.py   |  2 +
 .../scripts/hive/ranger-hive-setup.sh         | 90 +++++++++----------
 2 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py
index 23aca395e4..a59e737a0b 100644
--- a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py
+++ b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py
@@ -21,8 +21,10 @@ def service_not_exists(service):
                                   'policy.download.auth.users': 'hdfs',
                                   'tag.download.auth.users': 'hdfs',
                                   'userstore.download.auth.users': 'hdfs',
+                                  'setup.additional.default.policies': 'true',
                                   'default-policy.1.name': 'hive-tez-path',
                                   'default-policy.1.resource.path': '/*,/tmp',
+                                  'default-policy.1.resource.path.is-recursive': 'true',
                                   'default-policy.1.policyItem.1.users': 'hive',
                                   'default-policy.1.policyItem.1.accessTypes': 'read,write,execute',
                                   'ranger.plugin.hdfs.policy.refresh.synchronous':'true'}})
diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
index a68e3e33ed..5daae22e61 100755
--- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
+++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
@@ -128,6 +128,36 @@ cat <<EOF > ${TEZ_HOME}/conf/tez-site.xml
 </configuration>
 EOF
 
+rebuild_tez_tarball() {
+  if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
+    echo "Recreating Tez tarball for HDFS upload..."
+    cd /opt
+    tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
+  fi
+}
+
+create_hdfs_directories_and_files() {
+  exec_user=$1;
+
+  # prepare tez directories and files in hdfs folders
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" $exec_user
+
+  # Create HDFS user directory for hive
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" $exec_user
+
+  # Create HDFS /tmp/hive directory for Tez staging
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" $exec_user
+
+  # Create /user/root directory for YARN job execution
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" $exec_user
+}
+
 # Copy Tez JARs to Hive lib directory
 cp ${TEZ_HOME}/lib/tez-*.jar ${HIVE_HOME}/lib/
 cp ${TEZ_HOME}/tez-*.jar ${HIVE_HOME}/lib/
@@ -142,62 +172,30 @@ cp ${TEZ_HOME}/conf/tez-site.xml ${HIVE_HOME}/conf/
 if [ "${KERBEROS_ENABLED}" == "true" ]; then
     echo "Kerberos enabled - authenticating as hive user..."
     su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hive
+    rc=$?
+    if [ $rc -ne 0 ]; then
+      echo "ERROR: kinit failed for hive principal (exit code=$rc)" >&2
+      exit $rc
+    fi
+
+    echo "kinit successful, proceeding operations as hive user"
 
     # Recreate Tez tarball if it doesn't exist
-    if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
-        echo "Recreating Tez tarball for HDFS upload..."
-        cd /opt
-        tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
-    fi
+    rebuild_tez_tarball
+
+    #create hdfs directories and files for hive and tez
+    create_hdfs_directories_and_files 'hive'
 
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hive
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hive
     su -c "kdestroy" hive
 else
     # Non-Kerberos mode - use hdfs user
     su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs
 
     # Recreate Tez tarball if it doesn't exist (it gets removed during Docker build)
-    if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
-        echo "Recreating Tez tarball for HDFS upload..."
-        cd /opt
-        tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
-    fi
-
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs
-fi
-
-# Create HDFS user directory for hive
-if [ "${KERBEROS_ENABLED}" == "true" ]; then
-    su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hive
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hive
-
-    # Create HDFS /tmp/hive directory for Tez staging
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hive
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hive
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hive
-
-    # Create /user/root directory for YARN job execution
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hive
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hive
-    su -c "kdestroy" hive
-else
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs
-
-    # Create HDFS /tmp/hive directory for Tez staging
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs
-
-    # Fix /tmp directory permissions for Ranger (critical for INSERT operations)
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs
+    rebuild_tez_tarball
 
-    # Create /user/root directory for YARN job execution
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs
-    su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs
+    #create hdfs directories and files for hive and tez
+    create_hdfs_directories_and_files 'hdfs'
 fi
 
 # Initialize Hive schema

From 0f678e9888dda2654a21eda11944e6341b352fe4 Mon Sep 17 00:00:00 2001
From: Ramesh Mani <rmani@apache.org>
Date: Wed, 17 Dec 2025 10:53:42 -0800
Subject: [PATCH 3/3] RANGER-5424:Hive Insert command failed in Ranger Docker
 setup due to authentication and authorization issue - review comment fix #2

---
 .../scripts/hive/ranger-hive-setup.sh         | 29 +++++++++----------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
index 5daae22e61..442824c83a 100755
--- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
+++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh
@@ -131,31 +131,30 @@ EOF
 rebuild_tez_tarball() {
   if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then
     echo "Recreating Tez tarball for HDFS upload..."
-    cd /opt
-    tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
+    tar -C /opt -czf /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/
   fi
 }
 
 create_hdfs_directories_and_files() {
-  exec_user=$1;
+  exec_user=$1
 
   # prepare tez directories and files in hdfs folders
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" $exec_user
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" $exec_user
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" "$exec_user"
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" "$exec_user"
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" "$exec_user"
 
   # Create HDFS user directory for hive
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" $exec_user
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" "$exec_user"
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" "$exec_user"
 
   # Create HDFS /tmp/hive directory for Tez staging
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" $exec_user
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" $exec_user
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" "$exec_user"
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 1777 /tmp/hive" "$exec_user"
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 1777 /tmp" "$exec_user"
 
   # Create /user/root directory for YARN job execution
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" $exec_user
-  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" $exec_user
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" "$exec_user"
+  su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" "$exec_user"
 }
 
 # Copy Tez JARs to Hive lib directory
@@ -183,7 +182,7 @@ if [ "${KERBEROS_ENABLED}" == "true" ]; then
     # Recreate Tez tarball if it doesn't exist
     rebuild_tez_tarball
 
-    #create hdfs directories and files for hive and tez
+    # Create hdfs directories and files for hive and tez
     create_hdfs_directories_and_files 'hive'
 
     su -c "kdestroy" hive
@@ -194,7 +193,7 @@ else
     # Recreate Tez tarball if it doesn't exist (it gets removed during Docker build)
     rebuild_tez_tarball
 
-    #create hdfs directories and files for hive and tez
+    # Create hdfs directories and files for hive and tez
     create_hdfs_directories_and_files 'hdfs'
 fi