Re: [PR] HIVE-28913: When calling the reconnect() method in HiveMetaStoreClient, if HADOOP_PROXY_USER is set, a delegation token must be issued for the proxy user. [hive]

[via GitHub]

koodin9 commented on code in PR #5775:
URL: https://github.com/apache/hive/pull/5775#discussion_r2057615303


##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java:
##########
@@ -502,6 +506,9 @@ public void reconnect() throws MetaException {
         // connection has died and the default connection is likely to be the 
first array element.
         promoteRandomMetaStoreURI();
       }
+
+      generateProxyUserDelegationToken();

Review Comment:
   @deniskuzZ 
   It seems the process of generating a new token is definitely necessary.
   When the HiveMetaStoreClient constructor created the Delegation Token for 
the proxy user, the result of calling 
UserGroupInformation.getCurrentUser().getTokens() correctly contained the 
token, as expected.
   ```
   [2025-04-24 14:01:33,413] INFO [45337-limtan-ib-g19-3|task-0] finish 
creating DT. current User(koodin-9 (auth:PROXY) via superduper@KERBEROS.HADOOP 
(auth:KERBEROS)) getTokens: [Kind: HIVE_DELEGATION_TOKEN, Service: 
DelegationTokenForHiveMetaStoreServer, Ident: ...] (hive.metastore:334)
   ```
   
   However, when checking by calling 
UserGroupInformation.getCurrentUser().getTokens() at the point reconnect() was 
invoked, it always showed an empty value.
   In the 3f5a258, logging was added to the SecurityUtils.getTokenStrForm 
function, and when it was called, the results were as follows.
   ```
       public static String getTokenStrForm(String tokenSignature) throws 
IOException {
           UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
           TokenSelector<? extends TokenIdentifier> tokenSelector = new 
DelegationTokenSelector();
   
           LOG.info("ok, ugi getTokens? : {}", ugi.getTokens());
           LOG.info("ok, ugi realUser getTokens? : {}", 
ugi.getRealUser().getTokens());
   
           Token<? extends TokenIdentifier> token = tokenSelector.selectToken(
                   tokenSignature == null ? new Text() : new 
Text(tokenSignature), ugi.getTokens());
           return token != null ? token.encodeToUrlString() : null;
       }
   ```
   
   ```
   [2025-04-24 14:32:51,577] INFO [45337-limtan-ib-g19-3|task-2] ok, ugi 
getTokens? : [] (org.apache.hadoop.hive.metastore.utils.SecurityUtils:159)
   [2025-04-24 14:32:51,578] INFO [45337-limtan-ib-g19-3|task-2] ok, ugi 
realUser getTokens? : [] 
(org.apache.hadoop.hive.metastore.utils.SecurityUtils:160)
   ```
   
   I am not sure why the token information in 
UserGroupInformation.getCurrentUser().getTokens() disappears after the Hive 
Metastore restarts. Would you happen to know the reason for this?
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org