[jira] [Commented] (HIVE-17609) Tool to manipulate delegation tokens

[Mithun Radhakrishnan (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HIVE-17609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16190040#comment-16190040
 ] 

Mithun Radhakrishnan commented on HIVE-17609:
---------------------------------------------

Hey, there, [~vihangk1]. Thank you for your interest in the tool. It did prove 
useful to us in a few production incidents, (albeit only in the context of the 
metastore.)

bq. Is this specific for Hcatalog or this can be used in general for HS2 as 
well?

I was about to say that this isn't specific to HCatalog/Metastore, because it 
uses reflection to instantiate the {{DelegationTokenStore}} instance, as per 
the HiveConf's {{DELEGATION_TOKEN_STORE_CLS}} setting. However, on reexamining 
the code, I see the following:
{code:java}
  private void init() throws Exception {
    // ...

    String tokenStoreClassName = conf.get(DELEGATION_TOKEN_STORE_CLS, "");
    if (StringUtils.isBlank(tokenStoreClassName)) {
      throw new Exception("Could not find Delegation TokenStore 
implementation.");
    }

    Class<? extends DelegationTokenStore> clazz = 
Class.forName(tokenStoreClassName).asSubclass(DelegationTokenStore.class);
    delegationTokenStore = ReflectionUtils.newInstance(clazz, conf);
    delegationTokenStore.init(null, 
HadoopThriftAuthBridge.Server.ServerMode.METASTORE); // <---- Darn it!
  }

{code}

Argh. Perhaps an argument is in order, to choose the server-mode. :]

> Tool to manipulate delegation tokens
> ------------------------------------
>
>                 Key: HIVE-17609
>                 URL: https://issues.apache.org/jira/browse/HIVE-17609
>             Project: Hive
>          Issue Type: Improvement
>          Components: Metastore, Security
>    Affects Versions: 2.2.0, 3.0.0
>            Reporter: Mithun Radhakrishnan
>            Assignee: Mithun Radhakrishnan
>         Attachments: HIVE-17609.1-branch-2.2.patch, 
> HIVE-17609.1-branch-2.patch, HIVE-17609.1.patch
>
>
> This was precipitated by OOZIE-2797. We had a case in production where the 
> number of active metastore delegation tokens outstripped the ZooKeeper 
> {{jute.maxBuffer}} size. Delegation tokens could neither be fetched, nor be 
> cancelled. 
> The root-cause turned out to be a miscommunication, causing delegation tokens 
> fetched by Oozie *not* to be cancelled automatically from HCat. This was 
> sorted out as part of OOZIE-2797.
> The issue exposed how poor the log-messages were, in the code pertaining to 
> token fetch/cancellation. We also found need for a tool to query/list/purge 
> delegation tokens that might have expired already. This patch introduces such 
> a tool, and improves the log-messages.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)