Create and secure a Hive metastore cluster

Objective: Replace the default Hive metastore password when you create aDataproc cluster for added security.

Overview

When you create a Dataproc cluster, the Apache Hive application and itscomponents, including Hive metastore, are installed on the cluster, anda default password is set in thehive-site.xml file located on thecluster master node.

Specifying your own Hive metastore password is recommended to accomplish thefollowing goals:

  • As a best-practice security measure to ensure you control access to thelocal Hive metastore by providing your own password

  • To specify a known password that controls access to externalHive metastores used with external databases that are shared among differentclusters

Set the Hive metastore password

Run the followingGoogle Cloud CLI Dataproc clusters createcommand to create a Dataproc cluster and specify a Hivemetastore password.

gcloud dataproc clusters createcluster-name --properties="hive:javax.jdo.option.ConnectionPassword=HIVE_METASTORE_PASSWORD"

Notes:

  • SeeCreate a key to create a key in Cloud Key Management Service.
  • The Hive metastore password is stored only on cluster master node(s), not onworker nodes.

For additional information on securing Dataproc clusters seeDataproc security best practices.

Unsupported Scenarios

Dataproc does not support the following Hive metastore scenarios,regardless of whether you use the default or a user-supplied Hive metastore password:

  • You use an embedded metastore client in the Spark driver running in cluster mode,so that the worker nodes require Hive passwords. This scenario can causeconnectivity problems with the metastore database since the connectionis not made through theHiveMetaStore process running on theDataproc master node.

  • You deactivate Hive metastore andhive-server2 to use your own MySQL database.In this scenario, thespark.hadoop.javax.jdo.option.ConnectionURL=jdbc:mysql://CLUSTER_NAME-m/metastoreproperty has no effect.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.