koodin9 commented on code in PR #5775:
URL: https://github.com/apache/hive/pull/5775#discussion_r2057615303
##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java:
##########
@@ -502,6 +506,9 @@ public void reconnect() throws MetaException {
// connection has died and the default connection is likely to be the
first array element.
promoteRandomMetaStoreURI();
}
+
+ generateProxyUserDelegationToken();
Review Comment:
@deniskuzZ
It seems the process of generating a new token is definitely necessary.
When the HiveMetaStoreClient constructor created the Delegation Token for
the proxy user, the result of calling
UserGroupInformation.getCurrentUser().getTokens() correctly contained the
token, as expected.
```
[2025-04-24 14:01:33,413] INFO [45337-limtan-ib-g19-3|task-0] finish
creating DT. current User(koodin-9 (auth:PROXY) via [email protected]
(auth:KERBEROS)) getTokens: [Kind: HIVE_DELEGATION_TOKEN, Service:
DelegationTokenForHiveMetaStoreServer, Ident: ...] (hive.metastore:334)
```
However, when checking by calling
UserGroupInformation.getCurrentUser().getTokens() at the point reconnect() was
invoked, it always showed an empty value.
In the 3f5a258, logging was added to the SecurityUtils.getTokenStrForm
function, and when it was called, the results were as follows.
```
public static String getTokenStrForm(String tokenSignature) throws
IOException {
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
TokenSelector<? extends TokenIdentifier> tokenSelector = new
DelegationTokenSelector();
LOG.info("ok, ugi getTokens? : {}", ugi.getTokens());
LOG.info("ok, ugi realUser getTokens? : {}",
ugi.getRealUser().getTokens());
Token<? extends TokenIdentifier> token = tokenSelector.selectToken(
tokenSignature == null ? new Text() : new
Text(tokenSignature), ugi.getTokens());
return token != null ? token.encodeToUrlString() : null;
}
```
```
[2025-04-24 14:32:51,577] INFO [45337-limtan-ib-g19-3|task-2] ok, ugi
getTokens? : [] (org.apache.hadoop.hive.metastore.utils.SecurityUtils:159)
[2025-04-24 14:32:51,578] INFO [45337-limtan-ib-g19-3|task-2] ok, ugi
realUser getTokens? : []
(org.apache.hadoop.hive.metastore.utils.SecurityUtils:160)
```
I am not sure why the token information in
UserGroupInformation.getCurrentUser().getTokens() disappears after the Hive
Metastore restarts. Would you happen to know the reason for this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
