[
https://issues.apache.org/jira/browse/HIVE-29630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091097#comment-18091097
]
Shohei Okumiya commented on HIVE-29630:
---------------------------------------
[~aespinosa] Thank you!
So, it is not a security problem but a usability problem where we use multiple
Hive Metastore clusters.
I feel some behavior might have changed in the following commits. Honestly, I'm
not familiar with Apache Kyuubi/Spark, and I'm not sure how they should ideally
interact with HMS :(
* [https://github.com/apache/hive/commit/199c0043fa]
* [https://github.com/apache/hive/commit/3f90794d87]
> hive.metastore.token.signature is not being used by hive-metastore
> ------------------------------------------------------------------
>
> Key: HIVE-29630
> URL: https://issues.apache.org/jira/browse/HIVE-29630
> Project: Hive
> Issue Type: Bug
> Components: Standalone Metastore
> Reporter: Allan Espinosa
> Priority: Minor
>
> The hive.metastore.token.signature property determines how the Hive metastore
> client pulls a string-encoded delegation token from UserGroupInformation [1]
> by matching the Token#service field.. However, this property is not
> referenced when the Hive Metastore is issuing a delegation token [2].
> Is this intended? What are the cases where a Hive Client will receive a Hive
> Metastore delegation token with a custom signature?
> [1]
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L878-L885
> [2]
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/security/DelegationTokenSecretManager.java#L106-L121
--
This message was sent by Atlassian Jira
(v8.20.10#820010)