[jira] [Commented] (HIVE-26522) Metastore DelegationToken renewal is ineffective

Thu, 08 Sep 2022 12:59:06 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-26522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17601989#comment-17601989
 ] 

Pavan Lanka commented on HIVE-26522:
------------------------------------

This is already patched as part of HIVE-22033, I will use this add a test case 
that covers the renewal testing

> Metastore DelegationToken renewal is ineffective
> ------------------------------------------------
>
>                 Key: HIVE-26522
>                 URL: https://issues.apache.org/jira/browse/HIVE-26522
>             Project: Hive
>          Issue Type: Bug
>          Components: Standalone Metastore
>    Affects Versions: 2.3.8, 3.1.3
>            Reporter: Pavan Lanka
>            Assignee: Pavan Lanka
>            Priority: Major
>
> The HMS currently exposes method to renew an obtained delegation token
> {code:java}
> @Override
> public long renewDelegationToken(String tokenStrForm) throws MetaException, 
> TException {
>   if (localMetaStore) {
>     return 0;
>   }
>   return client.renew_delegation_token(tokenStrForm);
> }{code}
> However on the server side, the renewal of the delegation token does not 
> result in the update of the token information with the updated expiry
> {code:java}
> @Override
> public long renewToken(Token<DelegationTokenIdentifier> token, String 
> renewer) throws IOException {
>   // since renewal is KERBEROS authenticated token may not be cached
>   final DelegationTokenIdentifier id = getTokenIdentifier(token);
>   DelegationTokenInformation tokenInfo = this.tokenStore.getToken(id);
>   if (tokenInfo == null) {
>       throw new InvalidToken("token does not exist: " + id); // no token found
>   }
>   // ensure associated master key is available
>   if (!super.allKeys.containsKey(id.getMasterKeyId())) {
>     LOGGER.info("Unknown master key (id={}), (re)loading keys from token 
> store.",
>       id.getMasterKeyId());
>     reloadKeys();
>   }
>   // reuse super renewal logic
>   synchronized (this) {
> --> super.currentTokens.put(id,  tokenInfo);
>     try {
> -->   return super.renewToken(token, renewer);
>     } finally {
> -->   super.currentTokens.remove(id);
>     }
>   }
> } {code}
> Here you can see that we populate the `super.currentTokens` perform the 
> renewal and then remove the token without updating the `tokenStore`
>  
> As a result of this even though the call for renewal is successful the 
> renewal time is not updated for the token and the token is invalidated based 
> on the initial expiry time i.e based on when the token was created.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to