Re: [PR] HIVE-28042: DigestMD5 token expired or does not exist issue while opening connection to HMS [hive]

Fri, 25 Apr 2025 02:12:03 -0700 


pan3793 commented on code in PR #5358:
URL: https://github.com/apache/hive/pull/5358#discussion_r2059864056


##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/security/TokenStoreDelegationTokenSecretManager.java:
##########
@@ -236,22 +246,40 @@ public synchronized void stopThreads() {
    * that cannot be reused due to private method access. Logic here can more 
efficiently
    * deal with external token store by only loading into memory the minimum 
data needed.
    */
-  protected void removeExpiredTokens() {
+  protected void renewOrRemoveExpiredTokens() {
     long now = System.currentTimeMillis();
-    Iterator<DelegationTokenIdentifier> i = 
tokenStore.getAllDelegationTokenIdentifiers()
-        .iterator();
-    while (i.hasNext()) {
-      DelegationTokenIdentifier id = i.next();
+    for (DelegationTokenIdentifier id : 
tokenStore.getAllDelegationTokenIdentifiers()) {
       if (now > id.getMaxDate()) {
+        LOGGER.info("Expiry Thread removing expired token: " + id);
         this.tokenStore.removeToken(id); // no need to look at token info
       } else {
         // get token info to check renew date
-        DelegationTokenInformation tokenInfo = tokenStore.getToken(id);
-        if (tokenInfo != null) {
-          if (now > tokenInfo.getRenewDate()) {
-            this.tokenStore.removeToken(id);
-          }
+        try {
+          renewIfRequired(now, id, tokenStore.getToken(id));
+        } catch (InvalidToken e) {
+          LOGGER.warn("Failed to renew token: " + id, e);
+        }
+      }
+    }
+  }
+
+  private void renewIfRequired(long currentTime, DelegationTokenIdentifier id, 
DelegationTokenInformation tokenInfo)
+          throws InvalidToken {
+    if (tokenInfo != null) {
+      if (currentTime > tokenInfo.getRenewDate() && currentTime < 
id.getMaxDate()) {
+        // This will be the case when now > tokenInfo.getRenewDate() but less 
than the token expiration/max time.

Review Comment:
   This seems to violate the design purpose of "renew date" - renewals are only 
allowed before this instant.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to