Skip to main content
Version 3.0

Security - Hive Metastore

ChartVersion3.0.1TypeapplicationAppVersion4.0.0
CompatibilityKubernetes1.32+OpenShift4.19+Rancher2.10.x+
Feature SupportS3supportedExternal DBsupported

For Hive Metastore, security considerations focus on the credentials used for PostgreSQL and S3, the Secrets associated with deployment, and the security contexts applied to pods and containers.

User authentication, SSO, LDAP, Ranger, and authorization policy settings are outside the scope of this page.

Credentials and Secrets

Hive Metastore uses credentials to access the PostgreSQL database that stores metadata and, when metastore.type: s3, to access the S3/S3A endpoint configured in the chart.

Do not store passwords in versioned values.yaml files. Use private values files, secure CI, or the environment's Secret management mechanism.

PostgreSQL credentials

With postgres.enabled: true, the chart uses internal PostgreSQL. Set the hive user password in tdp-hive-metastore.postgres.password:

tdp-hive-metastore:
postgres:
enabled: true
database: hive
username: hive
password: "<POSTGRES_PASSWORD>"

If you need to connect directly to the hive database, retrieve the generated password from the release Secret:

kubectl get secret -n <NAMESPACE> <RELEASE_NAME>-hive-database   -o jsonpath="{.data.password}" | base64 --decode

With external PostgreSQL (postgres.enabled: false), the pre-install hooks look up the admin password in the Secret associated with the release defined in TDP-Settings.externalDatabase.externalSecret.releaseName. That Secret must contain the postgres-password key in the TDP format. For the external database configuration parameters, see Hive Metastore Configuration.

S3 credentials

To use the warehouse in S3 mode, configure metastore.type: s3 and provide credentials in tdp-hive-metastore.metastore.s3.accessKey and tdp-hive-metastore.metastore.s3.secretKey:

tdp-hive-metastore:
metastore:
type: s3
s3:
endpoint: "http://<S3_SERVICE>.<NAMESPACE>.svc.cluster.local:9000"
accessKey: "<S3_ACCESS_KEY>"
secretKey: "<S3_SECRET_KEY>"

Protect these values through a private values file, secure CI, or the Secret management tool adopted by the environment. To configure s3 mode, see Hive Metastore Configuration.

imagePullSecrets

Use tdp-hive-metastore.imagePullSecrets for pulling images from private registries:

tdp-hive-metastore:
imagePullSecrets:
- name: tdp-registry

The referenced Secret must exist in the namespace where Hive Metastore is installed. In environments that use cluster policy to inject imagePullSecrets, align this value with the strategy adopted by the cluster.

podSecurityContext and containerSecurityContext

Configure workload and helper job security contexts in podSecurityContext and containerSecurityContext:

tdp-hive-metastore:
podSecurityContext:
seccompProfile:
type: RuntimeDefault

containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL

These values reduce container permissions and apply seccompProfile: RuntimeDefault. Preserve these defaults unless the Kubernetes/OpenShift environment explicitly requires a change.

Troubleshooting

ProblemProbable causeSolution
Metastore does not start (external database)Secret with postgres-password missing or incorrect release nameCheck externalSecret.releaseName
Pre-install hook failurePostgreSQL not accessible or max_connections insufficientCheck connectivity and SHOW max_connections
Authentication deniedIncorrect credentials in valuesReview postgres.username and postgres.password
S3 credentials do not workIncorrect accessKey, secretKey, or S3 endpointCheck tdp-hive-metastore.metastore.s3.* and avoid credentials in versioned values
Image pull failsRegistry Secret missing or incorrect nameCheck tdp-hive-metastore.imagePullSecrets and whether the Secret exists in the namespace
Pod blocked by security policypodSecurityContext or containerSecurityContext incompatible with the cluster policyCheck Pod events and adjust only as required by the environment

For the complete parameter list, use helm show values for the chart version you installed.