Mailing-List: contact dev-help@hive.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@hive.apache.org
Date: Tue, 15 Nov 2011 05:25:51 +0000 (UTC)
From: "Andreas Neumann (Commented) (JIRA)" <jira@apache.org>
To: hive-dev@hadoop.apache.org
Message-ID: 
 <1159022873.29775.1321334751845.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <1788718598.11214.1316995886206.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (HIVE-2467) HA Support for Metastore Server
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HIVE-2467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13150243#comment-13150243 ] 

Andreas Neumann commented on HIVE-2467:
---------------------------------------

If Hadoop .23 relies on ZooKeeper, then I would hope that ZK is already baked in... otherwise I would tend to think, if ZK is tolerably secure for Hadoop, then it should be tolerable for Hive/HCatalog. After all, afaik both Hive and HCatalog piggy back on HDFS for security.

But I like the idea of having different implementations for the TokenStore, even though my preferred deployment would be ZooKeeper-based.

                
> HA Support for Metastore Server 
> --------------------------------
>
>                 Key: HIVE-2467
>                 URL: https://issues.apache.org/jira/browse/HIVE-2467
>             Project: Hive
>          Issue Type: Improvement
>          Components: Metastore, Security, Server Infrastructure
>    Affects Versions: 0.8.0, 0.9.0
>            Reporter: Thomas Weise
>            Assignee: Thomas Weise
>             Fix For: 0.9.0
>
>         Attachments: HIVE-2467.patch
>
>
> We require HA deployment for metastore server for HCatalog:
> * Multiple server instances run behind VIP
> * Database provides HA
> Metastore server instances will need to be able to share any state required for VIP outside RDBMS. As of Hive 0.8 affected conversational state that needs to support VIP/HA setup is limited to current delegation tokens. Is this correct?
> We are planning to use ZooKeeper to share current delegation tokens and master keys between nodes of the VIP. ZK is already (optionally) used by Hive for concurrency control. Access to ZK would be limited on the network level or in the future, when ZooKeeper supports security, through Kerberos, similar to NN access.
> Currently Hive taps into Hadoop core security delegation token support through extension of
> org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager<TokenIdent>
> A solution could amend the Hive specific extension to support:
> * Pluggable delegation token and master key store (ZooKeeper as alternative for in-memory AbstractDelegationTokenSecretManager)
> * Delegation token retrieval from token store when not found in memory (wrap/extend retrievePassword(...))
> * Cancellation of token in token store
> * Purging of expired tokens from token store
> http://www.mail-archive.com/hcatalog-user@incubator.apache.org/msg00053.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira