(hive) branch master updated: HIVE-28797: Hive Delegation Token Renewal fails for any kerberos principal user other than hive user (#5669)(Vikram Ahuja, reviewed by Chinna Rao Lalam, Butao Zhang)

Mon, 07 Apr 2025 02:43:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

zhangbutao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new 17fedf0db03 HIVE-28797: Hive Delegation Token Renewal fails for any 
kerberos principal user other than hive user (#5669)(Vikram Ahuja, reviewed by 
Chinna Rao Lalam, Butao Zhang)
17fedf0db03 is described below

commit 17fedf0db0352be02370bdeec0d867932edccf1c
Author: Vikram Ahuja <[email protected]>
AuthorDate: Mon Apr 7 15:03:18 2025 +0530

    HIVE-28797: Hive Delegation Token Renewal fails for any kerberos principal 
user other than hive user (#5669)(Vikram Ahuja, reviewed by Chinna Rao Lalam, 
Butao Zhang)
---
 .../TokenStoreDelegationTokenSecretManager.java    | 13 ++++--
 ...TestTokenStoreDelegationTokenSecretManager.java | 46 ++++++++++++++++++++++
 2 files changed, 55 insertions(+), 4 deletions(-)

diff --git 
a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/TokenStoreDelegationTokenSecretManager.java
 
b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/TokenStoreDelegationTokenSecretManager.java
index 01182b89812..a9a2a8d9aa5 100644
--- 
a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/TokenStoreDelegationTokenSecretManager.java
+++ 
b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/TokenStoreDelegationTokenSecretManager.java
@@ -105,7 +105,11 @@ public byte[] retrievePassword(DelegationTokenIdentifier 
identifier) throws Inva
       if (info == null) {
           throw new InvalidToken("token expired or does not exist: " + 
identifier);
       }
-      renewIfRequired(System.currentTimeMillis(), identifier, info);
+      try {
+        renewIfRequired(identifier, info);
+      } catch (InvalidToken e) {
+        LOGGER.warn("Failed to renew token: " + identifier, e);
+      }
       // we have to fetch the token again as it has been renewed and info 
still contains the previous renew time.
       info = this.tokenStore.getToken(identifier);
 
@@ -255,7 +259,7 @@ protected void renewOrRemoveExpiredTokens() {
       } else {
         // get token info to check renew date
         try {
-          renewIfRequired(now, id, tokenStore.getToken(id));
+          renewIfRequired(id, tokenStore.getToken(id));
         } catch (InvalidToken e) {
           LOGGER.warn("Failed to renew token: " + id, e);
         }
@@ -263,8 +267,9 @@ protected void renewOrRemoveExpiredTokens() {
     }
   }
 
-  private void renewIfRequired(long currentTime, DelegationTokenIdentifier id, 
DelegationTokenInformation tokenInfo)
+  public void renewIfRequired(DelegationTokenIdentifier id, 
DelegationTokenInformation tokenInfo)
           throws InvalidToken {
+    long currentTime = System.currentTimeMillis();
     if (tokenInfo != null) {
       if (currentTime > tokenInfo.getRenewDate() && currentTime < 
id.getMaxDate()) {
         // This will be the case when now > tokenInfo.getRenewDate() but less 
than the token expiration/max time.
@@ -273,7 +278,7 @@ private void renewIfRequired(long currentTime, 
DelegationTokenIdentifier id, Del
           DelegationKey key = getDelegationKey(id.getMasterKeyId());
           Token<DelegationTokenIdentifier> t = new Token<>(id.getBytes(), 
createPassword(id.getBytes(), key.getKey()),
                   id.getKind(), new Text());
-          renewToken(t, 
UserGroupInformation.getCurrentUser().getShortUserName());
+          renewToken(t, getTokenIdentifier(t).getRenewer().toString());
         } catch (IOException e) {
           throw new InvalidToken("Unable to renew token: " + id + " due to " + 
e.getMessage());
         }
diff --git 
a/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/security/TestTokenStoreDelegationTokenSecretManager.java
 
b/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/security/TestTokenStoreDelegationTokenSecretManager.java
index ff0997cfddf..c3c6a68c8df 100644
--- 
a/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/security/TestTokenStoreDelegationTokenSecretManager.java
+++ 
b/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/security/TestTokenStoreDelegationTokenSecretManager.java
@@ -92,6 +92,52 @@ private DelegationTokenIdentifier getID(String tokenStr) 
throws IOException {
     }
   }
 
+  @Test public void testTokenRenewalWithDifferentUsers() throws IOException, 
InterruptedException {
+    DelegationTokenStore tokenStore = new MemoryTokenStore();
+    // Have a long renewal to ensure that Thread.sleep does not overshoot the 
initial validity
+    TokenStoreDelegationTokenSecretManager mgr = createTokenMgr(tokenStore, 1, 
MetastoreConf.getTimeVar(
+            conf, MetastoreConf.ConfVars.DELEGATION_TOKEN_GC_INTERVAL, 
TimeUnit.SECONDS), MetastoreConf.getTimeVar(conf,
+            MetastoreConf.ConfVars.DELEGATION_TOKEN_MAX_LIFETIME, 
TimeUnit.SECONDS));
+    try {
+      mgr.startThreads();
+      String tokenStr1 =
+              
mgr.getDelegationToken(UserGroupInformation.getCurrentUser().getShortUserName(),
+                      
UserGroupInformation.getCurrentUser().getShortUserName());
+      String tokenStr2 =
+              mgr.getDelegationToken("user1", "user1");
+
+      Assert.assertNotNull(mgr.verifyDelegationToken(tokenStr1));
+      Assert.assertNotNull(mgr.verifyDelegationToken(tokenStr2));
+
+      DelegationTokenIdentifier id1 = getID(tokenStr1);
+      DelegationTokenIdentifier id2 = getID(tokenStr2);
+
+      long initialExpiry1 = tokenStore.getToken(id1).getRenewDate();
+      long initialExpiry2 = tokenStore.getToken(id2).getRenewDate();
+
+      Thread.sleep(3000);
+      Assert.assertTrue(System.currentTimeMillis() > id1.getIssueDate());
+      Assert.assertTrue(System.currentTimeMillis() > id2.getIssueDate());
+      // No change in renewal date without renewal
+      Assert.assertEquals(tokenStore.getToken(id1).getRenewDate(), 
initialExpiry1);
+      Assert.assertEquals(tokenStore.getToken(id2).getRenewDate(), 
initialExpiry2);
+
+      // Renewal Call
+      mgr.renewIfRequired(id1 ,tokenStore.getToken(id1));
+      mgr.renewIfRequired(id2 ,tokenStore.getToken(id2));
+
+      // Verify the token is valid
+      Assert.assertNotNull(mgr.verifyDelegationToken(tokenStr1));
+      Assert.assertNotNull(mgr.verifyDelegationToken(tokenStr2));
+
+      // Renewal date has increased after renewal
+      Assert.assertTrue(tokenStore.getToken(id1).getRenewDate() > 
initialExpiry1);
+      Assert.assertTrue(tokenStore.getToken(id2).getRenewDate() > 
initialExpiry2);
+    } finally {
+      mgr.stopThreads();
+    }
+  }
+
   @Test public void testTokenRenewalAndRemoval() throws IOException, 
InterruptedException {
     DelegationTokenStore tokenStore = new MemoryTokenStore();
     TokenStoreDelegationTokenSecretManager mgr = createTokenMgr(tokenStore, 2, 
1, 8);

Reply via email to