[
https://issues.apache.org/jira/browse/HIVE-26522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pavan Lanka updated HIVE-26522:
-------------------------------
Description:
HIVE-22033 fixes the issue with Hive Delegation tokens so that the renewal time
is effective.
This looks at adding a test for HIVE-22033 and backporting this fix to 3.1 and
2.3 branches in Hive.
was:
The HMS currently exposes method to renew an obtained delegation token
{code:java}
@Override
public long renewDelegationToken(String tokenStrForm) throws MetaException,
TException {
if (localMetaStore) {
return 0;
}
return client.renew_delegation_token(tokenStrForm);
}{code}
However on the server side, the renewal of the delegation token does not result
in the update of the token information with the updated expiry
{code:java}
@Override
public long renewToken(Token<DelegationTokenIdentifier> token, String renewer)
throws IOException {
// since renewal is KERBEROS authenticated token may not be cached
final DelegationTokenIdentifier id = getTokenIdentifier(token);
DelegationTokenInformation tokenInfo = this.tokenStore.getToken(id);
if (tokenInfo == null) {
throw new InvalidToken("token does not exist: " + id); // no token found
}
// ensure associated master key is available
if (!super.allKeys.containsKey(id.getMasterKeyId())) {
LOGGER.info("Unknown master key (id={}), (re)loading keys from token
store.",
id.getMasterKeyId());
reloadKeys();
}
// reuse super renewal logic
synchronized (this) {
--> super.currentTokens.put(id, tokenInfo);
try {
--> return super.renewToken(token, renewer);
} finally {
--> super.currentTokens.remove(id);
}
}
} {code}
Here you can see that we populate the `super.currentTokens` perform the renewal
and then remove the token without updating the `tokenStore`
As a result of this even though the call for renewal is successful the renewal
time is not updated for the token and the token is invalidated based on the
initial expiry time i.e based on when the token was created.
> Test for HIVE-22033 and backport to 3.1 and 2.3
> -----------------------------------------------
>
> Key: HIVE-26522
> URL: https://issues.apache.org/jira/browse/HIVE-26522
> Project: Hive
> Issue Type: Bug
> Components: Standalone Metastore
> Affects Versions: 2.3.8, 3.1.3
> Reporter: Pavan Lanka
> Assignee: Pavan Lanka
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> HIVE-22033 fixes the issue with Hive Delegation tokens so that the renewal
> time is effective.
> This looks at adding a test for HIVE-22033 and backporting this fix to 3.1
> and 2.3 branches in Hive.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
