Skip to content

Commit

Permalink
Add support for Hive delegation token renewer principal configuration.
Browse files Browse the repository at this point in the history
This patch introduces a new configuration option, security.delegation.tokens.hive.renewer, that allows specifying the principal under which Hive delegation tokens will be renewed.
  • Loading branch information
Asmoday committed Sep 9, 2024
1 parent 7590f06 commit c0e72f4
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,12 @@

package org.apache.flink.table.security.token;

import org.apache.commons.lang3.StringUtils;

import org.apache.flink.annotation.Internal;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.configuration.Configuration;
import org.apache.flink.configuration.SecurityOptions;
import org.apache.flink.core.security.token.DelegationTokenProvider;
import org.apache.flink.runtime.security.token.hadoop.HadoopDelegationTokenConverter;
import org.apache.flink.runtime.security.token.hadoop.KerberosLoginProvider;
Expand Down Expand Up @@ -56,6 +59,8 @@ public class HiveServer2DelegationTokenProvider implements DelegationTokenProvid

private Long tokenRenewalInterval;

private String hiveTokenRenewerPrincipal;

@Override
public String serviceName() {
return "HiveServer2";
Expand All @@ -65,6 +70,8 @@ public String serviceName() {
public void init(Configuration configuration) throws Exception {
hiveConf = getHiveConfiguration(configuration);
kerberosLoginProvider = new KerberosLoginProvider(configuration);
hiveTokenRenewerPrincipal = configuration
.get(SecurityOptions.DELEGATION_TOKENS_HIVE_RENEWER, "");
}

private org.apache.hadoop.conf.Configuration getHiveConfiguration(Configuration conf) {
Expand Down Expand Up @@ -136,9 +143,11 @@ public ObtainedDelegationTokens obtainDelegationTokens() throws Exception {
try {
LOG.info("Obtaining Kerberos security token for HiveServer2");

String principal =
String principal = !StringUtils.isEmpty(hiveTokenRenewerPrincipal) ?
hiveTokenRenewerPrincipal :
hiveConf.getTrimmed(
"hive.metastore.kerberos.principal", "");
"hive.metastore.kerberos.principal",
"");

String tokenStr =
hive.getDelegationToken(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,14 @@ public class SecurityOptions {
+ "possible to disable that behavior if it somehow conflicts "
+ "with the application being run.");

@Documentation.Section(value = Documentation.Sections.SECURITY_DELEGATION_TOKEN, position = 5)
public static final ConfigOption<String> DELEGATION_TOKENS_HIVE_RENEWER =
key("security.delegation.tokens.hive.renewer")
.stringType()
.noDefaultValue()
.withDescription("Specifies the principal under which the delegation tokens "
+ "for Hive will be renewed.");

/**
* Returns a view over the given configuration via which options can be set/retrieved for the
* given provider.
Expand Down

0 comments on commit c0e72f4

Please sign in to comment.