[jira] [Work logged] (HIVE-26522) Metastore DelegationToken renewal is ineffective

["ASF GitHub Bot (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/HIVE-26522?focusedWorklogId=807175&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-807175 ]

ASF GitHub Bot logged work on HIVE-26522:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Sep/22 20:17
            Start Date: 08/Sep/22 20:17
    Worklog Time Spent: 10m 
      Work Description: pavibhai opened a new pull request, #3585:
URL: https://github.com/apache/hive/pull/3585

   ### What changes were proposed in this pull request?
   Added a test for delegation token renewal that was fixed as part of HIVE-22033
   
   
   ### Why are the changes needed?
   For future regression tests
   
   
   ### Does this PR introduce _any_ user-facing change?
   No
   
   
   ### How was this patch tested?
   Unit test added tests successfully
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 807175)
    Remaining Estimate: 0h
            Time Spent: 10m

> Metastore DelegationToken renewal is ineffective
> ------------------------------------------------
>
>                 Key: HIVE-26522
>                 URL: https://issues.apache.org/jira/browse/HIVE-26522
>             Project: Hive
>          Issue Type: Bug
>          Components: Standalone Metastore
>    Affects Versions: 2.3.8, 3.1.3
>            Reporter: Pavan Lanka
>            Assignee: Pavan Lanka
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The HMS currently exposes method to renew an obtained delegation token
> {code:java}
> @Override
> public long renewDelegationToken(String tokenStrForm) throws MetaException, TException {
>   if (localMetaStore) {
>     return 0;
>   }
>   return client.renew_delegation_token(tokenStrForm);
> }{code}
> However on the server side, the renewal of the delegation token does not result in the update of the token information with the updated expiry
> {code:java}
> @Override
> public long renewToken(Token<DelegationTokenIdentifier> token, String renewer) throws IOException {
>   // since renewal is KERBEROS authenticated token may not be cached
>   final DelegationTokenIdentifier id = getTokenIdentifier(token);
>   DelegationTokenInformation tokenInfo = this.tokenStore.getToken(id);
>   if (tokenInfo == null) {
>       throw new InvalidToken("token does not exist: " + id); // no token found
>   }
>   // ensure associated master key is available
>   if (!super.allKeys.containsKey(id.getMasterKeyId())) {
>     LOGGER.info("Unknown master key (id={}), (re)loading keys from token store.",
>       id.getMasterKeyId());
>     reloadKeys();
>   }
>   // reuse super renewal logic
>   synchronized (this) {
> --> super.currentTokens.put(id,  tokenInfo);
>     try {
> -->   return super.renewToken(token, renewer);
>     } finally {
> -->   super.currentTokens.remove(id);
>     }
>   }
> } {code}
> Here you can see that we populate the `super.currentTokens` perform the renewal and then remove the token without updating the `tokenStore`
>  
> As a result of this even though the call for renewal is successful the renewal time is not updated for the token and the token is invalidated based on the initial expiry time i.e based on when the token was created.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)