If you have integrated with an EMR cluster version 5.8.0 or later, you can configure your Hive instance to use AWS Glue Data Catalog for storage and access to Hive metadata.
Tip: For metastores that are used across a set of services, accounts, and applications, AWS Glue is the recommended method of access.
For more information on AWS Glue, see https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hive-metastore-glue.html.
This section describes how to enable integration with your AWS Glue deployment.
AWS Glue tables can be read under the following conditions:
- The Trifacta platform uses S3 as the base storage layer.
- The Trifacta platform is integrated with an EMR cluster:
- EMR version 5.8.0 or later
- EMR cluster has been configured with HiveServer2
The Hive deployment must be integrated with AWS Glue.
NOTE: Hive connections are supported when S3 is the backend datastore.
- For HiveServer2 connectivity, the Trifacta node has direct access to the Master node of the EMR cluster.
When you create the EMR cluster, please verify the following in the AWS Glue Data Catalog settings:
Use for Hive table metadata
Use for Spark table metadata
Required Glue table properties
Each Glue table must be created with the following properties specified:
These properties must be specified for the Hive JDBC driver to read the Glue tables.
For additional limitations on access Hive tables through Glue, see https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hive-metastore-glue.html#emr-hive-glue-considerations-hive.
Deploy Credentials JAR to S3
To enable integration between the Trifacta platform and AWS Glue, a JAR file for managing the Trifacta credentials for AWS access must be deployed to S3 in a location that is accessible to the EMR cluster.
When the EMR cluster is launched with the followng custom bootstrap action, the cluster does one of the following:
- Interacts with AWS Glue using the credentials specified in
user, then the credentials registered by the user are used to connect to AWS Glue.
From the installation of the Trifacta platform, retrieve the following file:
Upload this JAR file to an S3 bucket location where the EMR cluster can access it:
- Via AWS Console S3 UI: See http://docs.aws.amazon.com/cli/latest/reference/s3/index.html.
Via AWS command line:
Create a bootstrap action script named
configure_glue_lib.sh. The contents must be the following:
- This script must be uploaded into S3 in a location that can be accessed from the EMR cluster. Retain the full path to this location.
- Add a bootstrap action to EMR cluster configuration.
Via AWS Console S3 UI: Create the bootstrap action to point to the script that you uploaded on S3.
- Via AWS command line:
- Upload the
configure_glue_lib.shfile to the accessible S3 bucket.
In the command line cluster creation script, add a custom bootstrap action. Example:
- Upload the
Authentication methods are required permissions are based on the AWS authentication mode:
|IAM role assigned to the cluster must provide access to AWS Glue.||See Configure for AWS.|
|The user role must provide access to AWS Glue.|
See below for an example IAM role access control.
Example fine-grain access control for IAM policy:
If you are using IAM roles to provide access to AWS Glue, you can review the following fine-grained access control, which includes the permissions required to access AWS Glue tables. Please add this to the Permissions section of your AWS Glue Catalog Settings page.
NOTE: Please verify that access is granted in the IAM policy to the default database for AWS Glue, as noted below.
AWS Glue crawls available data that is stored on S3. When you import a dataset through AWS Glue:
- Any samples of your data that are generated by the Trifacta platform are stored in S3. Sample data is read by the platform directly from S3.
- Source data is read through AWS Glue.
You should review and, if needed, apply additional read restrictions on your IAM policies so that users are limited to reading data from their own S3 directories. If all users have access to the same areas of the same S3 bucket, then it may be possible for users to access datasets through the platform when it is forbidden through AWS Glue.
Access is read-only. Publishing to Glue hosted on EMR is not supported.
- When using per-user IAM role-based authentication, EMR Spark jobs on AWS Glue datasources may fail if the job is still running beyond the defined session limit after job submission time for the IAM role.
- In the AWS Console, this limit is defined in hours as the Maximum CLI/API session duration assigned to the IAM role.
- In the AWS Glue catalog client for the Hive Metadata store, the temporary credentials generated for the IAM role expire after this limit in hours and cannot be renewed.
Please verify the following have been enabled and configured.
Your deployment has been configured to meet the Supported Deployment guidelines above.
You must integrate the platform with Hive.
NOTE: For the Hive hostname and port number, use the Master public DNS values. For more information, see https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hive-metastore-glue.html.
For more information, see Configure for Hive.
- If you are using it, the custom SQL query feature must be enabled. For more information, see Enable Custom SQL Query.
When accessing Glue using temporary per-user credentials, the credentials are given a duration of
1 hour. As needed, you can modify this duration.
NOTE: This value cannot exceed the Maximum Session Duration value for IAM roles, as configured in the IAM Console.
Locate the following parameter. By default, this value is set to
Save your changes and restart the platform.
This page has no comments.