difin commented on code in PR #68: URL: https://github.com/apache/hive-site/pull/68#discussion_r2482422626
########## content/Development/quickStart.md: ########## @@ -292,3 +292,378 @@ exit ``` [/packaging/src/docker/build.sh]: https://github.com/apache/hive/blob/master/packaging/src/docker/build.sh + +# REST Catalog Integrations + +## Hive + Gravitino + Keycloak: Docker-Compose Setup Review Comment: done ########## content/Development/quickStart.md: ########## @@ -292,3 +292,378 @@ exit ``` [/packaging/src/docker/build.sh]: https://github.com/apache/hive/blob/master/packaging/src/docker/build.sh + +# REST Catalog Integrations + +## Hive + Gravitino + Keycloak: Docker-Compose Setup + +- The code for this setup is located in the Hive repository in `packaging/src/docker/thirdparties/gravitino` folder. +- It contains a docker-compose-based setup integrating Apache Hive, Gravitino Iceberg REST server, and Keycloak for OAuth2 authentication. It allows Hive to use an Iceberg REST catalog secured via Keycloak. + +### Architecture Overview +This diagram illustrates the key docker-compose components and their interactions in this setup: + +``` + oAuth2 (REST API) + +-------------------------------------------------------------------+ + | | + | v ++--------+----------+ +-------------------+ +-----------------+ +| | RESTCatalog | | oauth2 | | +| Hive | (REST API) | Gravitino | (REST API) | Keycloak | +| (HiveServer2) +-------------->| Iceberg REST +----------->| OAuth2 Auth | +| | | Server | | Server | ++--------+----------+ +---------+---------+ +-----------------+ + | | + data | metadata files | + files +------------------------------------+ + | + v ++-------------------+ +-------------------+ +| | creates dir | | +| /warehouse |<--------------+ init | +| (Docker volume) | sets | container | +| | permissions | | ++-------------------+ +-------------------+ +``` + +- Hive: + - Runs HiveServer2, connects to Gravitino via Iceberg REST catalog. + - Write Iceberg data files to the shared warehouse volume. +- Gravitino: + - Exposes REST API for Iceberg catalog. + - Writes Iceberg metadata files to shared warehouse volume (.metadata.json). + - Doesn't supports serving as oauth2 provider, so this example uses an external OAuth2 provider (Keyclock). +- Keycloak: + - OAuth2 server providing authentication and token issuance for Hive/Gravitino. +- /warehouse: + - Shared Docker volume for Iceberg table data and metadata. +- Init container: + - Creates shared /warehouse folder and sets filesystem permissions as a one time initialization step. + +### Prerequisites +- Hive version 4.2.0+ +- Docker & Docker Compose +- Java (for local Hive beeline client) +- ```$HIVE_HOME``` environment variable pointing to Hive installation (for connecting to Beeline) + +### Quickstart + +#### STEP 1: Export the Hive version +```shell +export HIVE_VERSION=4.2.0 +``` + +#### STEP 2: Start services +```shell +docker-compose up -d +``` + +#### STEP 3: Connect to beeline +```shell +"${HIVE_HOME}/bin/beeline" -u "jdbc:hive2://localhost:10001/default" -n hive -p hive +``` + +#### STEP 4: Stop services: +```shell +docker-compose down -v +``` + +### Configuration + +#### Keycloak + +- Realm: hive +- Client: iceberg-client + - Secret: iceberg-client-secret + - Protocol: OpenID Connect + - Audience: hive-iceberg +- Imported via `realm-export.json` in Keycloak container. +- Port: 8080 + +#### Gravitino + +- HTTP port: 9001 +- Catalog backend: JDBC H2 (/tmp/gravitino_h2_db) +- Warehouse: /warehouse (shared with Hive) +- Iceberg REST Catalog Backend config: + ``` + # Backend type for the catalog. Here we use JDBC (H2 database) as the metadata store. + gravitino.iceberg-rest.catalog-backend = jdbc + + # JDBC connection URI for the H2 database storing catalog metadata. + gravitino.iceberg-rest.uri = jdbc:h2:file:/tmp/gravitino_h2_db;AUTO_SERVER=TRUE + + # JDBC driver class used to connect to the metadata database. + gravitino.iceberg-rest.jdbc-driver = org.h2.Driver + + # Database username for connecting to the metadata store. + gravitino.iceberg-rest.jdbc-user = sa + + # Database password for connecting to the metadata store (empty here). + gravitino.iceberg-rest.jdbc-password = "" + + # Whether to initialize the catalog schema on startup. + gravitino.iceberg-rest.jdbc-initialize = true + + # --- Warehouse Location (shared folder) --- + + # Path to the Iceberg warehouse directory shared with Hive. + gravitino.iceberg-rest.warehouse = file:///warehouse + ``` +- OAuth2 config pointing to Keycloak: + ``` + # Enables OAuth2 as the authentication mechanism for Gravitino. + gravitino.authenticators = oauth + + # URL of the Keycloak realm to request tokens from. + gravitino.authenticator.oauth.serverUri = http://keycloak:8080/realms/hive + + # Path to the OAuth2 token endpoint on Keycloak. + gravitino.authenticator.oauth.tokenPath = /protocol/openid-connect/token + + # OAuth2 scopes requested when obtaining a token. Includes "openid" and the custom "catalog" scope. + gravitino.authenticator.oauth.scope = openid catalog + + # OAuth2 client ID registered in Keycloak. + gravitino.authenticator.oauth.clientId = iceberg-client + + # OAuth2 client secret associated with the client ID. + gravitino.authenticator.oauth.clientSecret = iceberg-client-secret + + # Java class used to validate incoming JWT tokens using the JWKS endpoint. + gravitino.authenticator.oauth.tokenValidatorClass = org.apache.gravitino.server.authentication.JwksTokenValidator + + # URL to fetch JSON Web Key Set (JWKS) for verifying token signatures. + gravitino.authenticator.oauth.jwksUri = http://keycloak:8080/realms/hive/protocol/openid-connect/certs + + # Identifier for the OAuth2 provider configuration in Gravitino. + gravitino.authenticator.oauth.provider = default + + # JWT claim field(s) to extract as the principal/username (here, 'sub' claim). + gravitino.authenticator.oauth.principalFields = sub + + # Acceptable clock skew (in seconds) when validating token expiration times. + gravitino.authenticator.oauth.allowSkewSecs = 60 + + # Expected audience claim in the token to ensure it is intended for this service. + gravitino.authenticator.oauth.serviceAudience = hive-iceberg + ``` + +#### Hive + +- Uses ```HiveRESTCatalogClient``` for connecting to Iceberg REST catalog (Gravitino). +- Catalog configuration in ```hive-site.xml```: + ``` + <property> + <name>metastore.catalog.default</name> + <value>ice01</value> + <description>Sets the default Iceberg catalog for Hive. Here, "ice01" is used.</description> + </property> + + <property> + <name>metastore.client.impl</name> + <value>org.apache.iceberg.hive.client.HiveRESTCatalogClient</value> + <description>Specifies the client implementation to use for accessing Iceberg via REST.</description> + </property> + + <property> + <name>iceberg.catalog.ice01.uri</name> + <value>http://gravitino:9001/iceberg</value> + <description>URI of the Iceberg REST server (Gravitino). Hive will send catalog requests here.</description> + </property> + + <property> + <name>iceberg.catalog.ice01.type</name> + <value>rest</value> + <description>Defines the catalog type as "rest", indicating it uses a REST API backend.</description> + </property> + + <!-- Iceberg REST Catalog: OAuth2 authentication --> + + <property> + <name>iceberg.catalog.ice01.rest.auth.type</name> + <value>oauth2</value> + <description>Configures Hive to use OAuth2 for authenticating requests to the REST catalog.</description> + </property> + + <property> + <name>iceberg.catalog.ice01.oauth2-server-uri</name> + <value>http://keycloak:8080/realms/hive/protocol/openid-connect/token</value> + <description>URL of the Keycloak OAuth2 token endpoint used to request access tokens.</description> + </property> + + <property> + <name>iceberg.catalog.ice01.credential</name> + <value>iceberg-client:iceberg-client-secret</value> + <description>Client credentials (ID and secret) used to authenticate with Keycloak.</description> + </property> + ``` +- HiveServer2 port: 10000 (mapped to 10001 in Docker Compose) + +### Networking Notes + +- All containers share a custom bridge network ```hive-net```. +- Services communicate via container names: hive, gravitino, keycloak. +- Ports mapped for host access: + - Keycloak → 8080 + - Gravitino → 9001 + - HiveServer2 → 10001 + +## Hive + Polaris: Docker-Compose Setup Review Comment: done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
