[jira] [Updated] (FLINK-36405) Fix startup issues due to Hive delegation token on kerberos clusters

Tue, 15 Oct 2024 06:41:09 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-36405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ferenc Csaky updated FLINK-36405:
---------------------------------
    Summary: Fix startup issues due to Hive delegation token on kerberos 
clusters  (was: Fix startup issues on kerberos clusters)

> Fix startup issues due to Hive delegation token on kerberos clusters
> --------------------------------------------------------------------
>
>                 Key: FLINK-36405
>                 URL: https://issues.apache.org/jira/browse/FLINK-36405
>             Project: Flink
>          Issue Type: Bug
>          Components: Table SQL / Runtime
>    Affects Versions: 1.20.0, 1.19.1
>            Reporter: Chenyu Zheng
>            Assignee: Chenyu Zheng
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.0.0, 1.19.2, 1.20.1
>
>
> Fount these error when startup on kerberos cluster.
> Error 1: renew user dismatched
> {code:java}
> Caused by: org.apache.flink.util.FlinkRuntimeException: 
> MetaException(message:usera tries to renew a token (HIVE_DELEGATION_TOKEN 
> owner=usera/[email protected], renewer=hive, realUser=usera/[email protected], 
> issueDate=1727264927044, maxDate=1727869727044, sequenceNumber=251, 
> masterKeyId=7) with non-matching renewer hive)
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.getNewExpiration(HiveServer2DelegationTokenProvider.java:203)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.getTokenRenewalInterval(HiveServer2DelegationTokenProvider.java:190)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.lambda$obtainDelegationTokens$0(HiveServer2DelegationTokenProvider.java:159)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1] 
> ...{code}
> The cause of the problem is that the renewer is set to the value of 
> `hive.metastore.kerberos.principal`, which is generally the startup user of 
> hive metastore. However, when renewing DelegationToken, will use the startup 
> user of flink. This will cause the renewer to be mismatched.
>  
> Error2: HIVE_DELEGATION_TOKEN is not in service list
>  
> {code:java}
> 2024-09-26 14:35:07,144 ERROR 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider [] - 
> Failed to obtain delegation token for HiveServer2
> java.lang.NullPointerException: null
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.getTokenRenewalInterval(HiveServer2DelegationTokenProvider.java:202)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.lambda$obtainDelegationTokens$0(HiveServer2DelegationTokenProvider.java:170)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
> ...{code}
> The cause of this problem is that HIVE_DELEGATION_TOKEN is not in service.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to