-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HIVE-28042: DigestMD5 token expired or does not exist issue while opening connection to HMS #5049
Conversation
9cde0e6
to
364fde0
Compare
364fde0
to
24ec12b
Compare
Quality Gate passedThe SonarCloud Quality Gate passed, but some issues were introduced. 18 New issues |
Did you see the same issue in case of other long running framework accessing the HMS? Such as Spark streaming. |
@@ -956,14 +986,16 @@ private TTransport createAuthBinaryTransport(URI store, TTransport underlyingTra | |||
// tokenSig could be null | |||
tokenStrForm = SecurityUtils.getTokenStrForm(tokenSig); | |||
|
|||
if (tokenStrForm != null) { | |||
if (tokenStrForm != null && !fallbackToKerberos) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Earlier tokenStrForm is null, it will fallback to kerberos without fallbackToKerberos token
@@ -103,6 +105,10 @@ public byte[] retrievePassword(DelegationTokenIdentifier identifier) throws Inva | |||
if (info == null) { | |||
throw new InvalidToken("token expired or does not exist: " + identifier); | |||
} | |||
renewIfRequired(System.currentTimeMillis(), identifier, info); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are able to reproduce this scenario?
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
What changes were proposed in this pull request?
Adding three changes to fix this issue:
Why are the changes needed?
Facing DigestMD5 token expiry issue in a session which has been open since a long time when a new new connection is opened to HMS using TSaslClientTransport with DigestMD5 based auth. This issue is happening due to the fact that the new connection is trying to authenticate using the token identifier which is removed by the expiry thread in the background.
Does this PR introduce any user-facing change?
No
Is the change a dependency upgrade?
No
How was this patch tested?
Added a test case to check the expiry thread renewing the token automatically after some time and removing a token automatically after the token has expired.
Tested the scenario on a machine with dedicated HMS, HS2 with Sasl enabled.