Re: [PR] HIVE-28913: When calling the reconnect() method in HiveMetaStoreClient, if HADOOP_PROXY_USER is set, a delegation token must be issued for the proxy user. [hive]

[via GitHub]

koodin9 commented on code in PR #5775:
URL: https://github.com/apache/hive/pull/5775#discussion_r2057446098


##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java:
##########
@@ -389,6 +359,52 @@ private void resolveUris() throws MetaException {
     }
   }
 
+  private void generateProxyUserDelegationToken() throws MetaException {
+    //If HADOOP_PROXY_USER is set in env or property,
+    //then need to create metastore client that proxies as that user.
+    String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
+    String proxyUser = System.getenv(HADOOP_PROXY_USER);
+    if (proxyUser == null) {
+      proxyUser = System.getProperty(HADOOP_PROXY_USER);
+    }
+    //if HADOOP_PROXY_USER is set, create DelegationToken using real user
+    if (proxyUser != null) {
+      LOG.info(HADOOP_PROXY_USER + " is set. Using delegation "
+          + "token for HiveMetaStore connection.");
+      try {
+        
UserGroupInformation.getRealUserOrSelf(UserGroupInformation.getLoginUser()).doAs(
+            new PrivilegedExceptionAction<Void>() {
+              @Override
+              public Void run() throws Exception {
+                open();
+                return null;
+              }
+            });
+        Collection<Token<? extends TokenIdentifier>> tokens = 
UserGroupInformation.getCurrentUser().getTokens();
+        for (Token<? extends TokenIdentifier> token : tokens) {
+          if 
(token.getKind().equals(DelegationTokenIdentifier.HIVE_DELEGATION_KIND)) {
+            // We have a delegation token for current user, so we can use it 
to connect to the metastore
+            LOG.info("Found delegation token for " + proxyUser);
+            return;
+          }
+        }
+
+        String delegationTokenPropString = 
"DelegationTokenForHiveMetaStoreServer";
+        String delegationTokenStr = getDelegationToken(proxyUser, proxyUser);
+        SecurityUtils.setTokenStr(UserGroupInformation.getCurrentUser(), 
delegationTokenStr,
+            delegationTokenPropString);
+        MetastoreConf.setVar(this.conf, ConfVars.TOKEN_SIGNATURE, 
delegationTokenPropString);
+        close();

Review Comment:
   
[c1d5ce3](https://github.com/apache/hive/pull/5775/commits/c1d5ce37f3a8fabd1d2e499141ba6e7294164629)
   Thank you for reviewing it.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org