[jira] [Updated] (FLINK-36405) Fix startup issues on kerberos clusters

Mon, 14 Oct 2024 04:26:04 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-36405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chenyu Zheng updated FLINK-36405:
---------------------------------
    External issue URL:   (was: https://github.com/apache/flink/pull/25428)

> Fix startup issues on kerberos clusters
> ---------------------------------------
>
>                 Key: FLINK-36405
>                 URL: https://issues.apache.org/jira/browse/FLINK-36405
>             Project: Flink
>          Issue Type: Bug
>          Components: Table SQL / Runtime
>    Affects Versions: 1.20.0, 1.19.1
>            Reporter: Chenyu Zheng
>            Assignee: Ferenc Csaky
>            Priority: Major
>             Fix For: 2.0.0, 1.19.2, 1.20.1
>
>
> Fount these error when startup on kerberos cluster.
> Error 1: renew user dismatched
> {code:java}
> Caused by: org.apache.flink.util.FlinkRuntimeException: 
> MetaException(message:usera tries to renew a token (HIVE_DELEGATION_TOKEN 
> owner=usera/h...@hadoop.com, renewer=hive, realUser=usera/h...@hadoop.com, 
> issueDate=1727264927044, maxDate=1727869727044, sequenceNumber=251, 
> masterKeyId=7) with non-matching renewer hive)
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.getNewExpiration(HiveServer2DelegationTokenProvider.java:203)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.getTokenRenewalInterval(HiveServer2DelegationTokenProvider.java:190)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.lambda$obtainDelegationTokens$0(HiveServer2DelegationTokenProvider.java:159)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1] 
> ...{code}
> The cause of the problem is that the renewer is set to the value of 
> `hive.metastore.kerberos.principal`, which is generally the startup user of 
> hive metastore. However, when renewing DelegationToken, will use the startup 
> user of flink. This will cause the renewer to be mismatched.
>  
> Error2: HIVE_DELEGATION_TOKEN is not in service list
>  
> {code:java}
> 2024-09-26 14:35:07,144 ERROR 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider [] - 
> Failed to obtain delegation token for HiveServer2
> java.lang.NullPointerException: null
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.getTokenRenewalInterval(HiveServer2DelegationTokenProvider.java:202)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
>     at 
> org.apache.flink.table.security.token.HiveServer2DelegationTokenProvider.lambda$obtainDelegationTokens$0(HiveServer2DelegationTokenProvider.java:170)
>  ~[flink-sql-connector-hive-3.1.3_2.12-1.19.1.jar:1.19.1]
> ...{code}
> The cause of this problem is that HIVE_DELEGATION_TOKEN is not in service.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to