Hive/HCatalog

« Prev

ZooKeeper Usage:
- /hiveserver2 - The parent znode used by HiveServer2 when supporting dynamic service discovery. Each server instance creates an ephemeral znode under this namespace. Exposed via the hive config: hive.server2.zookeeper.namespace
- /hivedelegation/METASTORE - HA ONLY - The root path for token store data, used by Metastore servers to store delegation tokens. Exposed via hive config: hive.cluster.delegation.token.store.zookeeper.znode
- /hivedelegation/HIVESERVER2 - HA ONLY - The root path for token store data, used by HiveServer2 servers to store delegation tokens. Exposed via hive config: hive.cluster.delegation.token.store.zookeeper.znode
- /hive_zookeeper_namespace - Used by ZooKeeper-based implementation of Hive’s LockMgr (ZooKeeperHiveLockManager) if used. This usage is writable-to by any user as it tries to co-ordinate locking among multiple users. Controlled by hive config : hive.zookeeper.namespace. In addition, which LockMgr we use is also controlled by hive config : hive.lock.manager. (Note also, that if ACID is used, we do not use a ZooKeeper-based lock manager)
- /llap-<sasl|unsecure>/user-<user_name> is used by LLAP to store cluster node locations. Should be writable by hive, readable by anyone. LLAP takes care of enforcing the ACLs for the secure path.
- /zkdtsm_<cluster_id>/ZKDTSMRoot/* is used by LLAP token/secret manager, in secure cluster only. Should only be accessible by hive. LLAP sets and validates the ACLs.
Default ACLs:
- /hiveserver2 - world:anyone:r
- /hiveserver2 - sasl:hive:cdrwa
- /hivedelegation - world:anyone:r
- /hivedelegation - sasl:hive:cdrwa
- /hive_zookeeper_namespace - completely-open
- /llap-sasl/user-<user_name> - sasl:hive:cdrwa, world:anyone:r
- /llap-unsecure/user-<user_name> - world:anyone:cdrwa
- /zkdtsm_<cluster_id>/ZKDTSMRoot/* - sasl:hive:cdrwa
Note that ACLs are considered recursively applied to nodes inside these roots - i.e., /hivedelegation/METASTORE, /hivedelegation/HIVESERVER2, or /hiveserver2/<first_server>.
Security Best Practice ACLs/Permissions and Required Steps:
- /hiveserver2 - world:anyone:r
- /hiveserver2 - sasl:hive:cdrwa
- /hivedelegation - world:anyone:r
- /hivedelegation - sasl:hive:cdrwa
- /hive_zookeeper_namespace - completely-open
- /llap-sasl/user-<user_name> - sasl:hive:cdrwa, world:anyone:r
- /llap-unsecure/user-<user_name> - world:anyone:cdrwa
- /zkdtsm_<cluster_id>/ZKDTSMRoot/* - sasl:hive:cdrwa
Note that ACLs are considered recursively applied to nodes inside these roots - i.e., /hivedelegation/METASTORE, /hivedelegation/HIVESERVER2, or /hiveserver2/<first_server>.

​Hive/HCatalog