Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HIVE-28042: DigestMD5 token expired or does not exist issue while opening connection to HMS #5049

Closed
wants to merge 1 commit into from
Closed

HIVE-28042: DigestMD5 token expired or does not exist issue while opening connection to HMS #5049

wants to merge 1 commit into from

Conversation

vikramahuja1001
Copy link
Contributor

@vikramahuja1001 vikramahuja1001 commented Jan 30, 2024
edited

What changes were proposed in this pull request?

Adding three changes to fix this issue:

  1. Rework expiry thread to not remove token after renewal time has passed for that particular token. It will actually try to renew the token in this case.
  2. Individual calls to retrievePassword during the TSaslClientTransport auth will also try to renew the token if required before retrieving the password.
  3. Added a fallback mechanism to retry opening HMS connection using TSaslClientTransport with Kerberos auth in case the previous call fails with DigestMD5 auth.

Why are the changes needed?

Facing DigestMD5 token expiry issue in a session which has been open since a long time when a new new connection is opened to HMS using TSaslClientTransport with DigestMD5 based auth. This issue is happening due to the fact that the new connection is trying to authenticate using the token identifier which is removed by the expiry thread in the background.

Does this PR introduce any user-facing change?

No

Is the change a dependency upgrade?

No

How was this patch tested?

Added a test case to check the expiry thread renewing the token automatically after some time and removing a token automatically after the token has expired.
Tested the scenario on a machine with dedicated HMS, HS2 with Sasl enabled.

@vikramahuja1001 vikramahuja1001 changed the title Fix DigestMD5 Token expiry issue during opening connection to HMS HIVE-28042: Fix DigestMD5 Token expiry issue during opening connection to HMS Jan 30, 2024
@vikramahuja1001 vikramahuja1001 changed the title HIVE-28042: Fix DigestMD5 Token expiry issue during opening connection to HMS HIVE-28042: DigestMD5 Token expiry issue during opening connection to HMS Jan 30, 2024
@vikramahuja1001 vikramahuja1001 changed the title HIVE-28042: DigestMD5 Token expiry issue during opening connection to HMS HIVE-28042: DigestMD5 Token expiry issue while opening connection to HMS Jan 30, 2024
@vikramahuja1001 vikramahuja1001 changed the title HIVE-28042: DigestMD5 Token expiry issue while opening connection to HMS HIVE-28042: DigestMD5 token expired or does not exist issue while opening connection to HMS Jan 30, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jan 31, 2024

Quality Gate Passed Quality Gate passed

The SonarCloud Quality Gate passed, but some issues were introduced.

18 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@zhangbutao
Copy link
Contributor

Did you see the same issue in case of other long running framework accessing the HMS? Such as Spark streaming.
I am not very familar this part, but i think this fix deserves more attention. Waitting for other folks to give some valuable comments. :)

@vikramahuja1001
Copy link
Contributor Author

@nrg4878 and @ayushtkn, could you please have a look around this PR?

chinnaraolalam
chinnaraolalam reviewed Apr 1, 2024
View reviewed changes
...ore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
@@ -956,14 +986,16 @@ private TTransport createAuthBinaryTransport(URI store, TTransport underlyingTra
// tokenSig could be null
tokenStrForm = SecurityUtils.getTokenStrForm(tokenSig);

if (tokenStrForm != null) {
if (tokenStrForm != null && !fallbackToKerberos) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Earlier tokenStrForm is null, it will fallback to kerberos without fallbackToKerberos token

chinnaraolalam
chinnaraolalam reviewed Apr 1, 2024
View reviewed changes
...n/java/org/apache/hadoop/hive/metastore/security/TokenStoreDelegationTokenSecretManager.java
@@ -103,6 +105,10 @@ public byte[] retrievePassword(DelegationTokenIdentifier identifier) throws Inva
if (info == null) {
throw new InvalidToken("token expired or does not exist: " + identifier);
}
renewIfRequired(System.currentTimeMillis(), identifier, info);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are able to reproduce this scenario?

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 1, 2024

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Feel free to reach out on the dev@hive.apache.org list if the patch is in need of reviews.

@github-actions github-actions bot added the stale label Jun 1, 2024
@github-actions github-actions bot closed this Jun 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chinnaraolalam chinnaraolalam chinnaraolalam left review comments

Assignees
No one assigned
Labels
stale tests passed
Projects
None yet
Milestone
No milestone
4 participants
@vikramahuja1001 @zhangbutao @chinnaraolalam @asf-ci-hive