hzxiongyinke commented on code in PR #4821:
URL: https://github.com/apache/hive/pull/4821#discussion_r1381113067
##########
ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java:
##########
@@ -765,6 +768,32 @@ private static void start(SessionState startSs, boolean
isAsync, LogHelper conso
}
}
+ /**
+ * Set hive metastore delegation token in current UGI
+ */
+ private void setHiveMetastoreDelegationTokenToUGI() {
+ if (this.isHiveServerQuery) {
+ return;
+ }
+ if (!getSessionConf().getBoolVar(ConfVars.METASTORE_USE_THRIFT_SASL)) {
+ return;
+ }
+ try {
+ UserGroupInformation UGI = Utils.getUGI();
+ String hmsDelegationTokenStr =
Hive.get().getDelegationToken(UGI.getShortUserName(), UGI.getShortUserName());
Review Comment:
> I think `Hive.get().getDelegationToken` will create a connection to
metastore, and the session can reuse this Hive client later on. It looks the
token got in this step takes no effect.
For iceberg issue https://github.com/apache/iceberg/issues/3127,insert into
iceberg table with hive client ,iceberg table commit action occurs during the
ApplicationMaster commit job phase without kerberos info,So we can only rely on
HiveMetastore DelegationToken to solve this problem.
"will create a connection to metastore" means new HiveMetastoreClient ,
However, the hive client does not enable the "HADOOP_PROXY_USER", which means
that no DelegationToken will be stuffed into the UGI.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
