[jira] [Commented] (HIVE-29630) hive.metastore.token.signature is not being used by hive-metastore

Tue, 09 Jun 2026 14:11:10 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-29630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087757#comment-18087757
 ] 

Allan Espinosa commented on HIVE-29630:
---------------------------------------

Thank you for the insight おくみやさん.

We use Hive delegation tokens originally to initiate the HiveContext from a 
Spark session.  We are currently working on integrating with Apache Kyuubi to 
connect to multiple Hive-Metastores [1].  In order to be able to authenticate 
we do the following:

1.  Delegation Token Issuer
* We have an in-house REST API Gateway to fetch Delegation Tokens from 
multiple-Hive metastores (and HDFS and HBase).
* In the API Gateway, we implement the following:

Call Hive#getDelegationToken()  -> DelegationTokenIdentifier()
Set delegationTokenIdentifier#service -> something unique per hive-metastore 
FARM.  We have used the hive.metastore.uri or even the Hadoop cluster name 

2. Spark Session
Create multiple metastore definitions in Kyuubi with each property:
* hive.metastore.uris=<URI of my metastore for this Hadoop cluster>
* hive.metastore.token.signature=<unique id of my metastore for this Hadoop 
cluster>


In this case we are basically using the selection logic that Apache Kyuubi uses 
in the ThriftMestoreClient

[1] https://kyuubi.readthedocs.io/en/v1.9.1/connector/spark/hive.html


> hive.metastore.token.signature is not being used by hive-metastore
> ------------------------------------------------------------------
>
>                 Key: HIVE-29630
>                 URL: https://issues.apache.org/jira/browse/HIVE-29630
>             Project: Hive
>          Issue Type: Bug
>          Components: Standalone Metastore
>            Reporter: Allan Espinosa
>            Priority: Minor
>
> The hive.metastore.token.signature property determines how the Hive metastore 
> client pulls a string-encoded delegation token from UserGroupInformation [1] 
> by matching the Token#service field..  However, this property is not 
> referenced when the Hive Metastore is issuing a delegation token [2].  
> Is this intended?  What are the cases where a Hive Client will receive a Hive 
> Metastore delegation token with a custom signature?
> [1] 
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L878-L885
> [2] 
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/security/DelegationTokenSecretManager.java#L106-L121



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to