[
https://issues.apache.org/jira/browse/HIVE-2467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13151365#comment-13151365
]
Ashutosh Chauhan commented on HIVE-2467:
----------------------------------------
* Does it make sense to have TokenStore as a first class interface instead
being contained in TokenStoreDelegationTokenSecretManager and then secret
manager contain an instance of it?
* I think it makes sense to always use TokenStore based
DelegationTokenSecretManager and use MemoryStore as default case instead of
creating two code paths in ThriftAuthBridge20S.
* Various tricks are currently done to get around limited interfaces exported
by Hadoop. We should file jiras on hadoop so some of this could be eventually
be migrated there.
* After retrieving tokens from tokenstore we put them in abstract class's maps,
pull it back and then delete immediately. This looks unnecessary. If possible
we should avoid that.
> HA Support for Metastore Server
> --------------------------------
>
> Key: HIVE-2467
> URL: https://issues.apache.org/jira/browse/HIVE-2467
> Project: Hive
> Issue Type: Improvement
> Components: Metastore, Security, Server Infrastructure
> Affects Versions: 0.8.0, 0.9.0
> Reporter: Thomas Weise
> Assignee: Thomas Weise
> Fix For: 0.9.0
>
> Attachments: HIVE-2467.patch
>
>
> We require HA deployment for metastore server for HCatalog:
> * Multiple server instances run behind VIP
> * Database provides HA
> Metastore server instances will need to be able to share any state required
> for VIP outside RDBMS. As of Hive 0.8 affected conversational state that
> needs to support VIP/HA setup is limited to current delegation tokens. Is
> this correct?
> We are planning to use ZooKeeper to share current delegation tokens and
> master keys between nodes of the VIP. ZK is already (optionally) used by Hive
> for concurrency control. Access to ZK would be limited on the network level
> or in the future, when ZooKeeper supports security, through Kerberos, similar
> to NN access.
> Currently Hive taps into Hadoop core security delegation token support
> through extension of
> org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<TokenIdent>
> A solution could amend the Hive specific extension to support:
> * Pluggable delegation token and master key store (ZooKeeper as alternative
> for in-memory AbstractDelegationTokenSecretManager)
> * Delegation token retrieval from token store when not found in memory
> (wrap/extend retrievePassword(...))
> * Cancellation of token in token store
> * Purging of expired tokens from token store
> http://www.mail-archive.com/hcatalog-user@incubator.apache.org/msg00053.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
