If you have integrated with an EMR cluster version 5.8.0 or later, you can configure your Hive instance to use AWS Glue Data Catalog for storage and access to Hive metadata. 

Tip: For metastores that are used across a set of services, accounts, and applications, AWS Glue is the recommended method of access.

For more information on AWS Glue, see https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hive-metastore-glue.html.

This section describes how to enable integration with your AWS Glue deployment. 

Supported Deployment

AWS Glue tables can be read under the following conditions:

EMR Settings

When you create the EMR cluster, please verify the following in the AWS Glue Data Catalog settings:

Required Glue table properties

Each Glue table must be created with the following properties specified:

These properties must be specified for the Hive JDBC driver to read the Glue tables.

For additional limitations on access Hive tables through Glue, see https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hive-metastore-glue.html#emr-hive-glue-considerations-hive.

Deploy Credentials JAR to S3

To enable integration between the  and AWS Glue, a JAR file for managing the  for AWS access must be deployed to S3 in a location that is accessible to the EMR cluster. 

When the EMR cluster is launched with the followng custom bootstrap action, the cluster does one of the following:

Steps:

  1. From the installation of the , retrieve the following file:

    [TRIFACTA_INSTALL_DIR]/aws/glue-credential-provider/build/libs/trifacta-aws-glue-credential-provider.jar
  2. Upload this JAR file to an S3 bucket location where the EMR cluster can access it:

    1. Via AWS Console S3 UI: See http://docs.aws.amazon.com/cli/latest/reference/s3/index.html.
    2. Via AWS command line:

      aws s3 cp trifacta-aws-glue-credential-provider.jar s3://<YOUR-BUCKET>/
  3. Create a bootstrap action script named configure_glue_lib.sh. The contents must be the following:

    sudo aws s3 cp s3://<YOUR-BUCKET>/trifacta-aws-glue-credential-provider.jar  /usr/share/aws/emr/emrfs/auxlib/
    sudo aws s3 cp s3://<YOUR-BUCKET>/trifacta-aws-glue-credential-provider.jar  /usr/lib/hive/auxlib/
  4. This script must be uploaded into S3 in a location that can be accessed from the EMR cluster. Retain the full path to this location.
  5. Add a bootstrap action to EMR cluster configuration.
    1. Via AWS Console S3 UI: Create the bootstrap action to point to the script that you uploaded on S3.

    2. Via AWS command line: 
      1. Upload the configure_glue_lib.sh file to the accessible S3 bucket.
      2. In the command line cluster creation script, add a custom bootstrap action. Example:

        --bootstrap-actions '[
        {"Path":"s3://<YOUR-BUCKET>/configure_glue_lib.sh","Name":"Custom action"}
        ]'

Authentication

Authentication methods are required permissions are based on the AWS authentication mode:

"aws.mode": "system",
aws.mode valuePermissionsDoc
systemIAM role assigned to the cluster must provide access to AWS Glue.See Configure for AWS.
userThe user role must provide access to AWS Glue.

See below for an example IAM role access control.

See Configure AWS Per-User Auth for Temporary Credentials.

Example fine-grain access control for IAM policy:

If you are using IAM roles to provide access to AWS Glue, you can review the following fine-grained access control, which includes the permissions required to access AWS Glue tables. Please add this to the Permissions section of your AWS Glue Catalog Settings page. 

NOTE: Please verify that access is granted in the IAM policy to the default database for AWS Glue, as noted below.


{
    "Sid" : "accessToAllTables",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : [  "arn:aws:iam::<accountId>:role/glue-read-all" ]
    },
    "Action" : [ "glue:GetDatabases", "glue:GetDatabase", "glue:GetTables", "glue:GetTable", "glue:GetUserDefinedFunctions", "glue:GetPartitions" ],
    "Resource" : [ "arn:aws:glue:us-west-2:<accountId>:catalog", "arn:aws:glue:us-west-2:<accountId>:database/default", "arn:aws:glue:us-west-2:<accountId>:database/global_temp", "arn:aws:glue:us-west-2:<accountId>:database/mydb", "arn:aws:glue:us-west-2:<accountId>:table/mydb/*" ]
}

S3 access

AWS Glue crawls available data that is stored on S3. When you import a dataset through AWS Glue:

You should review and, if needed, apply additional read restrictions on your IAM policies so that users are limited to reading data from their own S3 directories. If all users have access to the same areas of the same S3 bucket, then it may be possible for users to access datasets through the platform when it is forbidden through AWS Glue.

Limitations

Enable

Please verify the following have been enabled and configured.

  1. Your deployment has been configured to meet the Supported Deployment guidelines above.

  2. You must integrate the platform with Hive.

    NOTE: For the Hive hostname and port number, use the Master public DNS values. For more information, see https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hive-metastore-glue.html.


    For more information, see Configure for Hive.

  3. If you are using it, the custom SQL query feature must be enabled. For more information, see Enable Custom SQL Query

Configure

When accessing Glue using temporary per-user credentials, the credentials are given a duration of 1 hour. As needed, you can modify this duration. 

NOTE: This value cannot exceed the Maximum Session Duration value for IAM roles, as configured in the IAM Console.


  1. Locate the following parameter. By default, this value is set to 1:

    "data-service.sqlOptions.glueTempCredentialTimeoutInHours": 1
  2. Save your changes and restart the platform.

Create Connection

See Create AWS Glue Connections.