dengzhhu653 commented on code in PR #4821:
URL: https://github.com/apache/hive/pull/4821#discussion_r1387418364
##########
ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java:
##########
@@ -765,6 +768,32 @@ private static void start(SessionState startSs, boolean
isAsync, LogHelper conso
}
}
+ /**
+ * Set hive metastore delegation token in current UGI
+ */
+ private void setHiveMetastoreDelegationTokenToUGI() {
+ if (this.isHiveServerQuery) {
+ return;
+ }
+ if (!getSessionConf().getBoolVar(ConfVars.METASTORE_USE_THRIFT_SASL)) {
+ return;
+ }
+ try {
+ UserGroupInformation UGI = Utils.getUGI();
+ String hmsDelegationTokenStr =
Hive.get().getDelegationToken(UGI.getShortUserName(), UGI.getShortUserName());
Review Comment:
Hi @hzxiongyinke,
> 1.if the token being expired , we can do renew token such as
I'm not sure how to trigger the token renew in HiveSessionImplWithUGI, as I
understand from the context, this happens on Hive client, not HiveServer2.
> if token has set in UGI,new HMS client will check ConfVars.TOKEN_SIGNATURE
for tokenSig.which ConfVars.TOKEN_SIGNATURE has set in SessionState
That's right, what I concern is that the App master doesn't sit inside the
Hive client, they are two different processes, the App master may donot know
the token in Hive client.
> Clients must authenticate with Kerberos
Right, this is a property for connecting to HMS, it doesn't mean the client
itself is Kerberos based, I would prefer add the check here in my opinion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
