Security - Hive Metastore
For Hive Metastore, security considerations focus on the credentials used for PostgreSQL and S3, the Secrets associated with deployment, and the security contexts applied to pods and containers.
User authentication, SSO, LDAP, Ranger, and authorization policy settings are outside the scope of this page.
Credentials and Secrets
Hive Metastore uses credentials to access the PostgreSQL database that stores metadata and, when metastore.type: s3, to access the S3/S3A endpoint configured in the chart.
Do not store passwords in versioned values.yaml files. Use private values files, secure CI, or the environment's Secret management mechanism.
PostgreSQL credentials
With postgres.enabled: true, the chart uses internal PostgreSQL. Set the hive user password in tdp-hive-metastore.postgres.password:
tdp-hive-metastore:
postgres:
enabled: true
database: hive
username: hive
password: "<POSTGRES_PASSWORD>"
If you need to connect directly to the hive database, retrieve the generated password from the release Secret:
kubectl get secret -n <NAMESPACE> <RELEASE_NAME>-hive-database -o jsonpath="{.data.password}" | base64 --decode
With external PostgreSQL (postgres.enabled: false), the pre-install hooks look up the admin password in the Secret associated with the release defined in TDP-Settings.externalDatabase.externalSecret.releaseName. That Secret must contain the postgres-password key in the TDP format. For the external database configuration parameters, see Hive Metastore Configuration.
S3 credentials
To use the warehouse in S3 mode, configure metastore.type: s3 and provide credentials in tdp-hive-metastore.metastore.s3.accessKey and tdp-hive-metastore.metastore.s3.secretKey:
tdp-hive-metastore:
metastore:
type: s3
s3:
endpoint: "http://<S3_SERVICE>.<NAMESPACE>.svc.cluster.local:9000"
accessKey: "<S3_ACCESS_KEY>"
secretKey: "<S3_SECRET_KEY>"
Protect these values through a private values file, secure CI, or the Secret management tool adopted by the environment. To configure s3 mode, see Hive Metastore Configuration.
imagePullSecrets
Use tdp-hive-metastore.imagePullSecrets for pulling images from private registries:
tdp-hive-metastore:
imagePullSecrets:
- name: tdp-registry
The referenced Secret must exist in the namespace where Hive Metastore is installed. In environments that use cluster policy to inject imagePullSecrets, align this value with the strategy adopted by the cluster.
podSecurityContext and containerSecurityContext
Configure workload and helper job security contexts in podSecurityContext and containerSecurityContext:
tdp-hive-metastore:
podSecurityContext:
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
These values reduce container permissions and apply seccompProfile: RuntimeDefault. Preserve these defaults unless the Kubernetes/OpenShift environment explicitly requires a change.
Troubleshooting
| Problem | Probable cause | Solution |
|---|---|---|
| Metastore does not start (external database) | Secret with postgres-password missing or incorrect release name | Check externalSecret.releaseName |
| Pre-install hook failure | PostgreSQL not accessible or max_connections insufficient | Check connectivity and SHOW max_connections |
| Authentication denied | Incorrect credentials in values | Review postgres.username and postgres.password |
| S3 credentials do not work | Incorrect accessKey, secretKey, or S3 endpoint | Check tdp-hive-metastore.metastore.s3.* and avoid credentials in versioned values |
| Image pull fails | Registry Secret missing or incorrect name | Check tdp-hive-metastore.imagePullSecrets and whether the Secret exists in the namespace |
| Pod blocked by security policy | podSecurityContext or containerSecurityContext incompatible with the cluster policy | Check Pod events and adjust only as required by the environment |
For the complete parameter list, use helm show values for the chart version you installed.