Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
0.8.0, 0.9.0
-
None
Description
We require HA deployment for metastore server for HCatalog:
- Multiple server instances run behind VIP
- Database provides HA
Metastore server instances will need to be able to share any state required for VIP outside RDBMS. As of Hive 0.8 affected conversational state that needs to support VIP/HA setup is limited to current delegation tokens. Is this correct?
We are planning to use ZooKeeper to share current delegation tokens and master keys between nodes of the VIP. ZK is already (optionally) used by Hive for concurrency control. Access to ZK would be limited on the network level or in the future, when ZooKeeper supports security, through Kerberos, similar to NN access.
Currently Hive taps into Hadoop core security delegation token support through extension of
org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<TokenIdent>
A solution could amend the Hive specific extension to support:
- Pluggable delegation token and master key store (ZooKeeper as alternative for in-memory AbstractDelegationTokenSecretManager)
- Delegation token retrieval from token store when not found in memory (wrap/extend retrievePassword(...))
- Cancellation of token in token store
- Purging of expired tokens from token store
http://www.mail-archive.com/hcatalog-user@incubator.apache.org/msg00053.html
Attachments
Attachments
Issue Links
- depends upon
-
HIVE-1696 Add delegation token support to metastore
-
- Closed
-
- incorporates
-
-
- Closed
-
- is related to
-
ZOOKEEPER-938 Support Kerberos authentication of clients.
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Open
-