Apache ZooKeeper ACLs
Also available as:
PDF

ZooKeeper ACLs Best Practices: Hive/HCatalog

Best practices for tightening the ZooKeeper ACLs/permissions for Hive/HCatalog when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /hiveserver2 - The parent znode used by HiveServer2 when supporting dynamic service discovery. Each server instance creates an ephemeral znode under this namespace. Exposed via the hive config: hive.server2.zookeeper.namespace

    • /hivedelegation/METASTORE - HA ONLY - The root path for token store data, used by Metastore servers to store delegation tokens. Exposed via hive config: hive.cluster.delegation.token.store.zookeeper.znode

    • /hivedelegation/HIVESERVER2 - HA ONLY - The root path for token store data, used by HiveServer2 servers to store delegation tokens. Exposed via hive config: hive.cluster.delegation.token.store.zookeeper.znode

    • /hive_zookeeper_namespace - Used by ZooKeeper-based implementation of Hive’s LockMgr (ZooKeeperHiveLockManager) if used. This usage is writable-to by any user as it tries to co-ordinate locking among multiple users. Controlled by hive config : hive.zookeeper.namespace. In addition, which LockMgr we use is also controlled by hive config : hive.lock.manager. (Note also, that if ACID is used, we do not use a ZooKeeper-based lock manager)

    • /llap-<sasl|unsecure>/user-<user_name> is used by LLAP to store cluster node locations. Should be writable by hive, readable by anyone. LLAP takes care of enforcing the ACLs for the secure path.

    • /zkdtsm_<cluster_id>/ZKDTSMRoot/* is used by LLAP token/secret manager, in secure cluster only. Should only be accessible by hive. LLAP sets and validates the ACLs.

  • Default ACLs:
    • /hiveserver2 - world:anyone:r

    • /hiveserver2 - sasl:hive:cdrwa

    • /hivedelegation - world:anyone:r

    • /hivedelegation - sasl:hive:cdrwa

    • /hive_zookeeper_namespace - completely-open

    • /llap-sasl/user-<user_name> - sasl:hive:cdrwa, world:anyone:r

    • /llap-unsecure/user-<user_name> - world:anyone:cdrwa

    • /zkdtsm_<cluster_id>/ZKDTSMRoot/* - sasl:hive:cdrwa

    Note that ACLs are considered recursively applied to nodes inside these roots - i.e., /hivedelegation/METASTORE, /hivedelegation/HIVESERVER2, or /hiveserver2/<first_server> .

  • Security Best Practice ACLs/Permissions and Required Steps:
    • /hiveserver2 - world:anyone:r

    • /hiveserver2 - sasl:hive:cdrwa

    • /hivedelegation - world:anyone:r

    • /hivedelegation - sasl:hive:cdrwa

    • /hive_zookeeper_namespace - completely-open

    • /llap-sasl/user-<user_name> - sasl:hive:cdrwa, world:anyone:r

    • /llap-unsecure/user-<user_name> - world:anyone:cdrwa

    • /zkdtsm_<cluster_id>/ZKDTSMRoot/* - sasl:hive:cdrwa

    Note that ACLs are considered recursively applied to nodes inside these roots - i.e., /hivedelegation/METASTORE, /hivedelegation/HIVESERVER2, or /hiveserver2/<first_server> .