hive icon indicating copy to clipboard operation
hive copied to clipboard

Published 20 hours ago verified publisher icon apache

HIVE-28042: DigestMD5 token expired or does not exist issue while opening connection to HMS

Open vikramahuja1001 opened this issue 1 year ago • 2 comments

What changes were proposed in this pull request?

Adding three changes to fix this issue:

  1. Rework expiry thread to not remove token after renewal time has passed for that particular token. It will actually try to renew the token in this case.
  2. Individual calls to retrievePassword during the TSaslClientTransport auth will also try to renew the token if required before retrieving the password.
  3. Added a fallback mechanism to retry opening HMS connection using TSaslClientTransport with Kerberos auth in case the previous call fails with DigestMD5 auth.

Why are the changes needed?

Facing DigestMD5 token expiry issue in a session which has been open since a long time when a new new connection is opened to HMS using TSaslClientTransport with DigestMD5 based auth. This issue is happening due to the fact that the new connection is trying to authenticate using the token identifier which is removed by the expiry thread in the background.

Does this PR introduce any user-facing change?

No

Is the change a dependency upgrade?

No

How was this patch tested?

Added a test case to check the expiry thread renewing the token automatically after some time and removing a token automatically after the token has expired. Tested the scenario on a machine with dedicated HMS, HS2 with Sasl enabled.

vikramahuja1001 avatar Jan 30 '24 06:01 vikramahuja1001

Quality Gate Passed Quality Gate passed

The SonarCloud Quality Gate passed, but some issues were introduced.

18 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

sonarqubecloud[bot] avatar Jan 31 '24 04:01 sonarqubecloud[bot]

Did you see the same issue in case of other long running framework accessing the HMS? Such as Spark streaming. I am not very familar this part, but i think this fix deserves more attention. Waitting for other folks to give some valuable comments. :)

zhangbutao avatar Feb 19 '24 15:02 zhangbutao

@nrg4878 and @ayushtkn, could you please have a look around this PR?

vikramahuja1001 avatar Mar 19 '24 07:03 vikramahuja1001

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Feel free to reach out on the [email protected] list if the patch is in need of reviews.

github-actions[bot] avatar Jun 01 '24 00:06 github-actions[bot]

I have aded another test in this patch. Since this PR is closed i have raised another PR now. @chinnaraolalam ,please review it once. New PR: https://github.com/apache/hive/pull/5303

vikramahuja1001 avatar Jun 14 '24 13:06 vikramahuja1001