Re: [PR] HIVE-29615: Fix Hive Metastore and NameNode connection failure due to SASL no common protection layer between client and server [hive]

Wed, 20 May 2026 19:26:45 -0700 


VenuReddy2103 commented on code in PR #6492:
URL: https://github.com/apache/hive/pull/6492#discussion_r3278279758


##########
standalone-metastore/metastore-tools/tools-common/src/main/java/org/apache/hadoop/hive/metastore/tools/HMSClient.java:
##########
@@ -483,15 +482,14 @@ private TTransport open(Configuration conf, @NotNull URI 
uri) throws
         LOG.info("HMSC::open(): Found delegation token. Creating DIGEST-based 
thrift connection.");
         // authenticate using delegation tokens via the "DIGEST" mechanism
         transport = authBridge.createClientTransport(null, host,
-            "DIGEST", tokenStrForm, transport,
-            MetaStoreUtils.getMetaStoreSaslProperties(conf, useSSL));
+            "DIGEST", tokenStrForm, transport, saslProperties);

Review Comment:
   > This changes Metastore's transport as well, I have two concerns:
   > 
   > 1. will Kerberos(hadoop.rpc.protection=privacy) + SSL can work together in 
Metastore, i.e, will there have any connect issues between Metastore client and 
server?
   
   It worked. I have verified with this setup.
   
   > 2. sounds like a breaking change for old Metastore clients, they need to 
upgrade to the latest the Metastore lib, should we take care of or document 
that?
   > 
   `hadoop.rpc.protection `is comma seperated values. 3 values allowed are 
`authentication`,`integrity` and `privacy`. Server and client negotiates during 
handshake. As long as the server side config has `authentication`  as one of 
the value included in the `hadoop.rpc.protection` it works for the old clients 
too.
   
   When the server side `hadoop.rpc.protection` has just `integrity`  or 
`privacy` or `integrity,privacy`  then server and client negotiation fails with 
the error because, on old clients we overwrite with `authentication`.
   IMHO, It is rather a bug fix to support `integrity`  or `privacy` or 
`integrity,privacy` alone values for `hadoop.rpc.protection`.
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to