[ 
https://issues.apache.org/jira/browse/HIVE-29630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091097#comment-18091097
 ] 

Shohei Okumiya commented on HIVE-29630:
---------------------------------------

[~aespinosa] Thank you!

So, it is not a security problem but a usability problem where we use multiple 
Hive Metastore clusters.

 

I feel some behavior might have changed in the following commits. Honestly, I'm 
not familiar with Apache Kyuubi/Spark, and I'm not sure how they should ideally 
interact with HMS :(
 * [https://github.com/apache/hive/commit/199c0043fa]
 * [https://github.com/apache/hive/commit/3f90794d87] 

> hive.metastore.token.signature is not being used by hive-metastore
> ------------------------------------------------------------------
>
>                 Key: HIVE-29630
>                 URL: https://issues.apache.org/jira/browse/HIVE-29630
>             Project: Hive
>          Issue Type: Bug
>          Components: Standalone Metastore
>            Reporter: Allan Espinosa
>            Priority: Minor
>
> The hive.metastore.token.signature property determines how the Hive metastore 
> client pulls a string-encoded delegation token from UserGroupInformation [1] 
> by matching the Token#service field..  However, this property is not 
> referenced when the Hive Metastore is issuing a delegation token [2].  
> Is this intended?  What are the cases where a Hive Client will receive a Hive 
> Metastore delegation token with a custom signature?
> [1] 
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L878-L885
> [2] 
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/security/DelegationTokenSecretManager.java#L106-L121



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to