Security — Hive Metastore
Access to the Hive Metastore is controlled by the PostgreSQL database credentials. The tdp-hive-metastore chart supports an internal (embedded) or external database, and in both cases the database password is protected via a Kubernetes Secret.
Internal database (embedded PostgreSQL)
When postgres.enabled: true, the chart deploys an internal PostgreSQL instance. The hive user password is defined directly in values.yaml:
tdp-hive-metastore:
postgres:
enabled: true
database: hive
username: hive
password: "<POSTGRES_PASSWORD>"
Do not store passwords in versioned values.yaml files. Use a private values file (outside version control) or a Secrets management mechanism in your environment.
After deployment, the chart automatically creates a Secret named <release>-hive-database containing the password key. To retrieve the generated password:
kubectl get secret -n <namespace> <release>-hive-database \
-o jsonpath="{.data.password}" | base64 --decode
External database (shared PostgreSQL)
When postgres.enabled: false, Hive Metastore connects to an external PostgreSQL instance. Authentication is managed via TDPConfigurations.externalDatabase:
tdp-hive-metastore:
postgres:
enabled: false
external:
host: "<POSTGRESQL_HOST>"
port: 5432
TDPConfigurations:
externalDatabase:
enabled: true
externalSecret:
releaseName: "tdp-postgresql-project"
The externalSecret.releaseName field points to the PostgreSQL release whose Secret contains the postgres-password key (admin password). The pre-install hooks use this credential to create the hive database and user.
| Field | Description |
|---|---|
externalDatabase.enabled | Enables hooks that validate and provision the external database |
externalDatabase.recreate | When true, drops and recreates the database before provisioning — use only during reinstallations |
externalSecret.releaseName | Name of the PostgreSQL release from which the Secret containing postgres-password is read |
Minimum PostgreSQL capacity
Hive Metastore requires high database connection availability:
| Requirement | Minimum | Recommended |
|---|---|---|
max_connections | 300 | 400+ |
The TDP PostgreSQL chart is configured with 400 connections by default. If using an external PostgreSQL instance, verify this parameter before deployment.
Troubleshooting
| Problem | Probable cause | Solution |
|---|---|---|
| Metastore does not start (external database) | Secret with postgres-password missing or incorrect release name | Check externalSecret.releaseName |
| Pre-install hook failures | PostgreSQL unreachable or max_connections insufficient | Check connectivity and SHOW max_connections |
| Authentication denied | Incorrect credentials in values | Review postgres.username and postgres.password |
For the full list of parameters, use helm show values on the version of the chart you installed.