[ https://issues.apache.org/jira/browse/HIVE-26522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17601989#comment-17601989 ]
Pavan Lanka commented on HIVE-26522: ------------------------------------ This is already patched as part of HIVE-22033, I will use this add a test case that covers the renewal testing > Metastore DelegationToken renewal is ineffective > ------------------------------------------------ > > Key: HIVE-26522 > URL: https://issues.apache.org/jira/browse/HIVE-26522 > Project: Hive > Issue Type: Bug > Components: Standalone Metastore > Affects Versions: 2.3.8, 3.1.3 > Reporter: Pavan Lanka > Assignee: Pavan Lanka > Priority: Major > > The HMS currently exposes method to renew an obtained delegation token > {code:java} > @Override > public long renewDelegationToken(String tokenStrForm) throws MetaException, > TException { > if (localMetaStore) { > return 0; > } > return client.renew_delegation_token(tokenStrForm); > }{code} > However on the server side, the renewal of the delegation token does not > result in the update of the token information with the updated expiry > {code:java} > @Override > public long renewToken(Token<DelegationTokenIdentifier> token, String > renewer) throws IOException { > // since renewal is KERBEROS authenticated token may not be cached > final DelegationTokenIdentifier id = getTokenIdentifier(token); > DelegationTokenInformation tokenInfo = this.tokenStore.getToken(id); > if (tokenInfo == null) { > throw new InvalidToken("token does not exist: " + id); // no token found > } > // ensure associated master key is available > if (!super.allKeys.containsKey(id.getMasterKeyId())) { > LOGGER.info("Unknown master key (id={}), (re)loading keys from token > store.", > id.getMasterKeyId()); > reloadKeys(); > } > // reuse super renewal logic > synchronized (this) { > --> super.currentTokens.put(id, tokenInfo); > try { > --> return super.renewToken(token, renewer); > } finally { > --> super.currentTokens.remove(id); > } > } > } {code} > Here you can see that we populate the `super.currentTokens` perform the > renewal and then remove the token without updating the `tokenStore` > > As a result of this even though the call for renewal is successful the > renewal time is not updated for the token and the token is invalidated based > on the initial expiry time i.e based on when the token was created. -- This message was sent by Atlassian Jira (v8.20.10#820010)