[
https://issues.apache.org/jira/browse/HIVE-29630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087567#comment-18087567
]
Shohei Okumiya commented on HIVE-29630:
---------------------------------------
[~aespinosa]
Disclaimer: I'm not a specialist in Hadoop Delegation Tokens.
Reading the source code, I guessed the initialization steps as follows.
# Client: Instantiate ThriftHiveMetaStoreClient, [create a temporal Thrift
connection|https://github.com/apache/hive/blob/rel/release-4.2.0/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L336],
and [request a delegation
token|https://github.com/apache/hive/blob/rel/release-4.2.0/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L341]
# Server: Hive Metastore responses with a delegation token without a "service"
# Client: [Binds "DelegationTokenForHiveMetaStoreServer" to the "service" field
of the token, and adds it to
UserGroupInformation|https://github.com/apache/hive/blob/rel/release-4.2.0/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L342-L343]
# Client: [Updates "metastore.token.signature" to
"DelegationTokenForHiveMetaStoreServer" in the client-side
configuration](https://github.com/apache/hive/blob/rel/release-4.2.0/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L344)
# Client: [Picks up a delegation token with service =
"DelegationTokenForHiveMetaStoreServer"|https://github.com/apache/hive/blob/rel/release-4.2.0/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L874],
and opens a new Thrift connection with the single token
# Server: Hive Metastore receives the single token and assumes it is for HMS
So, I guess `metastore.token.signature` is an internal parameter for a Hive
Metastore client to select a token for HMS from potentially multiple tokens for
HDFS, KMS, HMS, Hive, or even something else. As the Hive Metastore's Thrift
protocol conveys only a single delegation token at a time, I guess the
selection logic is not necessary in HMS; if HMS receives a delegation token for
HDFS, it is definitely rejected.
> hive.metastore.token.signature is not being used by hive-metastore
> ------------------------------------------------------------------
>
> Key: HIVE-29630
> URL: https://issues.apache.org/jira/browse/HIVE-29630
> Project: Hive
> Issue Type: Bug
> Components: Standalone Metastore
> Reporter: Allan Espinosa
> Priority: Minor
>
> The hive.metastore.token.signature property determines how the Hive metastore
> client pulls a string-encoded delegation token from UserGroupInformation [1]
> by matching the Token#service field.. However, this property is not
> referenced when the Hive Metastore is issuing a delegation token [2].
> Is this intended? What are the cases where a Hive Client will receive a Hive
> Metastore delegation token with a custom signature?
> [1]
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-client/src/main/java/org/apache/hadoop/hive/metastore/client/ThriftHiveMetaStoreClient.java#L878-L885
> [2]
> https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/security/DelegationTokenSecretManager.java#L106-L121
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
