You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Pavan Lanka (Jira)" <ji...@apache.org> on 2022/09/07 14:37:00 UTC

[jira] [Created] (HIVE-26522) Metastore DelegationToken renewal is ineffective

Pavan Lanka created HIVE-26522:
----------------------------------

             Summary: Metastore DelegationToken renewal is ineffective
                 Key: HIVE-26522
                 URL: https://issues.apache.org/jira/browse/HIVE-26522
             Project: Hive
          Issue Type: Bug
          Components: Standalone Metastore
    Affects Versions: 3.1.3, 2.3.8
            Reporter: Pavan Lanka


The HMS currently exposes method to renew an obtained delegation token
{code:java}
@Override
public long renewDelegationToken(String tokenStrForm) throws MetaException, TException {
  if (localMetaStore) {
    return 0;
  }
  return client.renew_delegation_token(tokenStrForm);

}{code}
However on the server side, the renewal of the delegation token does not result in the update of the token information with the updated expiry
{code:java}
@Override
public long renewToken(Token<DelegationTokenIdentifier> token, String renewer) throws IOException {
  // since renewal is KERBEROS authenticated token may not be cached
  final DelegationTokenIdentifier id = getTokenIdentifier(token);
  DelegationTokenInformation tokenInfo = this.tokenStore.getToken(id);
  if (tokenInfo == null) {
      throw new InvalidToken("token does not exist: " + id); // no token found
  }
  // ensure associated master key is available
  if (!super.allKeys.containsKey(id.getMasterKeyId())) {
    LOGGER.info("Unknown master key (id={}), (re)loading keys from token store.",
      id.getMasterKeyId());
    reloadKeys();
  }
  // reuse super renewal logic
  synchronized (this) {
--> super.currentTokens.put(id,  tokenInfo);
    try {
-->   return super.renewToken(token, renewer);
    } finally {
-->   super.currentTokens.remove(id);
    }
  }
} {code}
Here you can see that we populate the `super.currentTokens` perform the renewal and then remove the token without updating the `tokenStore`

 

As a result of this even though the call for renewal is successful the renewal time is not updated for the token and the token is invalidated based on the initial expiry time i.e based on when the token was created.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)