Hive/HCatalog
ZooKeeper Usage:
/hiveserver2
- The parent znode used by HiveServer2 when supporting dynamic service discovery. Each server instance creates an ephemeral znode under this namespace. Exposed via the hive config:hive.server2.zookeeper.namespace
/hivedelegation/METASTORE
- HA ONLY - The root path for token store data, used by Metastore servers to store delegation tokens. Exposed via hive config:hive.cluster.delegation.token.store.zookeeper.znode
/hivedelegation/HIVESERVER2
- HA ONLY - The root path for token store data, used by HiveServer2 servers to store delegation tokens. Exposed via hive config:hive.cluster.delegation.token.store.zookeeper.znode
/hive_zookeeper_namespace
- Used by ZooKeeper-based implementation of Hive’s LockMgr (ZooKeeperHiveLockManager
) if used. This usage is writable-to by any user as it tries to co-ordinate locking among multiple users. Controlled by hive config :hive.zookeeper.namespace
. In addition, which LockMgr we use is also controlled by hive config :hive.lock.manager
. (Note also, that if ACID is used, we do not use a ZooKeeper-based lock manager)/llap-
is used by LLAP to store cluster node locations. Should be writable by hive, readable by anyone. LLAP takes care of enforcing the ACLs for the secure path.<sasl|unsecure>
/user-<user_name>
/zkdtsm_
is used by LLAP token/secret manager, in secure cluster only. Should only be accessible by hive. LLAP sets and validates the ACLs.<cluster_id>
/ZKDTSMRoot/*
Default ACLs:
/hiveserver2
-world:anyone:r
/hiveserver2
-sasl:hive:cdrwa
/hivedelegation
-world:anyone:r
/hivedelegation
-sasl:hive:cdrwa
/hive_zookeeper_namespace
-completely-open
/llap-sasl/user-
-<user_name>
sasl:hive:cdrwa, world:anyone:r
/llap-unsecure/user-
-<user_name>
world:anyone:cdrwa
/zkdtsm_
-<cluster_id>
/ZKDTSMRoot/*sasl:hive:cdrwa
Note that ACLs are considered recursively applied to nodes inside these roots - i.e.,
/hivedelegation/METASTORE
,/hivedelegation/HIVESERVER2
, or/hiveserver2/
.<first_server>
Security Best Practice ACLs/Permissions and Required Steps:
/hiveserver2
-world:anyone:r
/hiveserver2
-sasl:hive:cdrwa
/hivedelegation
-world:anyone:r
/hivedelegation
-sasl:hive:cdrwa
/hive_zookeeper_namespace
-completely-open
/llap-sasl/user-
-<user_name>
sasl:hive:cdrwa, world:anyone:r
/llap-unsecure/user-
-<user_name>
world:anyone:cdrwa
/zkdtsm_
-<cluster_id>
/ZKDTSMRoot/*sasl:hive:cdrwa
Note that ACLs are considered recursively applied to nodes inside these roots - i.e.,
/hivedelegation/METASTORE
,/hivedelegation/HIVESERVER2
, or/hiveserver2/
.<first_server>