Forge Home


Apache Hive Puppet Module


2,605 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.15.0 (latest)
  • 0.14.0
  • 0.13.0
  • 0.12.0
  • 0.11.0
  • 0.10.2
  • 0.10.1
  • 0.10.0
  • 0.9.8
  • 0.9.7
  • 0.9.6
  • 0.9.5
  • 0.9.4
  • 0.9.3
  • 0.9.2
  • 0.9.1
released Mar 1st 2020
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >=3.4.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'cesnet-hive', '0.15.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add cesnet-hive
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install cesnet-hive --version 0.15.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: hadoop, hive


cesnet/hive — version 0.15.0 Mar 1st 2020

Apache Hive Puppet Module

Build Status

####Table of Contents

  1. Module Description - What the module does and why it is useful
  2. Setup - The basics of getting started with Hive
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

##Module Description

This module installs and setups Apache Hive data warehouse software running on the top of Hadoop cluster. Hive services can be collocated or separated with other services in the cluster. Optionally security based on Kerberos can be enabled. Security should be enabled if Hadoop cluster security is enabled.

Puppet client configured with stringify_facts=false is recommended, but not required (see also schema_file parameter).

Tested with:

  • Debian 7/wheezy, 8/jessie: Cloudera distribution (tested on Hive 0.13.1, 2.1.1)
  • RHEL 6 and clones: Cloudera distribution (tested with Hadoop 2.6.0)


###What cesnet-hive module affects

  • Packages: installs Hive packages (common packages, subsets for requested services, hcatalog, and/or hive client)
  • Files modified:
  • */etc/hive/* (or /etc/hive/conf/**)
  • /usr/local/sbin/hivemanager (not needed, only when administrator manager script is requested by features)
  • Alternatives:
  • alternatives are used for /etc/hive/conf in Cloudera
  • this module switches to the new alternative by default, so the Cloudera original configuration can be kept intact
  • Services: only requested Hive services are setup and started
  • metastore
  • server2
  • Helper Files:
  • /var/lib/hadoop-hdfs/.puppet-hive-dir-created (created by cesnet-hadoop module)
  • Secret Files (keytabs): permissions are modified for hive service keytab (/etc/security/keytab/hive.service.keytab)
  • Facts: hive_schemas (stringify_facts=false is needed when using this fact)
  • Databases: for supported databases (when not disabled): user created and database schema imported using puppetlabs modules

###Setup Requirements

There are several known or intended limitations in this module.

Be aware of:

  • Repositories - see cesnet-hadoop module Setup Requirements for details

  • No inter-node dependencies: running HDFS namenode is required for Hive metastore server startup

  • Secure mode: keytabs must be prepared in /etc/security/keytabs/ (see realm parameter)

  • Database setup: MariaDB/MySQL or PostgreSQL are supported. You need to install puppetlabs-mysql or puppetlabs-postgresql module, because they are not in dependencies.

  • Hadoop: it should be configured locally or you should use hdfs_hostname parameter (see Module Parameters)

###Beginning with Hive

Let's start with basic examples.

Example: The simplest setup without security nor zookeeper, with everything on single machine:

  hdfs_hostname => $::fqdn,
  metastore_hostname => $::fqdn,
  server2_hostname => $::fqdn,

  # HDFS initialization must be done on the namenode
  # (or /user/hive on HDFS must be created)
  include hive::hdfs

node default {
  # server
  include ::hive::metastore
  include ::hive::server2
  # client
  include ::hive::frontend
  include ::hive::hcatalog
  # worker nodes
  include ::hive::worker

Modify $::fqdn and node(s) section as needed.

We recommend:

  • using zookeeper and set hive parameter zookeeper_hostnames (cesnet-zookeeper module can be used for installation of zookeeper)
  • if collocated with HDFS namenode, add dependency Class['hadoop::namenode::service'] -> Class['hive::metastore::service']
  • if not collocated, it is needed to have HDFS namenode running first, or restart Hive metastore later
  • using hadoop class plus some other component (or hadoop::common::config class) - see hdfs_hostname parameter


It is highly recommended to use real database backends instead of Derby. Also security can be enabled.

Hive is used together with other components in roles in cesnet::site_hadoop puppet module.

Or you can see the examples here, how to use the hive puppet module directly:

Example 1: Setup with security:

Additional permissions in Hadoop cluster are needed: add hive proxy user.

  properties => {
    'hadoop.proxyuser.hive.groups' => 'hive,impala,oozie,users',
    'hadoop.proxyuser.hive.hosts' => '*',

  group => 'users',
  metastore_hostname => $::fqdn,
  realm => 'MY.REALM',

Use nodes sections from the initial Example, modify $::fqdn and nodes sections as needed.

Example 2: MySQL database, puppetlabs-mysql puppet module must be installed.

Add this to the initial example:

  db          => 'mysql',
  #db          => 'mariadb',
  db_password => 'hivepassword',

node default {

  class { 'mysql::server':
    root_password  => 'strongpassword',

  class { 'mysql::bindings':
    java_enable       => true,
    #java_package_name => 'libmariadb-java',

Database is created in hive::metastore::db (hive::metastore) class.

Example 3: PostgreSQL database, puppetlabs-postgresql puppet module must be installed.

Add this to the initial example:

  db          => 'postgresql',
  db_password => 'hivepassword',

node default {

  class { 'postgresql::server':
    postgres_password => 'strongpassword',
  include postgresql::lib::java

###Enable Security

Security in Hadoop (and Hive) is based on Kerberos. Keytab files needs to be prepared on the proper places before enabling the security.

Following parameters are used for security (see also hive class):

  • realm (Kerberos realm, empty string disables the security) Enables security and specifies Kerberos realm to use. Empty string disables the security. To enable security, there are required:
    • installed Kerberos client (Debian: krb5-user/heimdal-clients; RedHat: krb5-workstation)
    • configured Kerberos client (/etc/krb5.conf, /etc/krb5.keytab)
    • /etc/security/keytab/hive.service.keytab (on all server nodes)
  • sentry_hostname Enable usage of Sentry authorization service. When not specified, Hive server2 impersonation is enabled and authorization works using HDFS permissions.


Authorization by impersonation of the user. Used when sentry_hostname is not specified.

Hadoop needs to have enabled proxyuser for it:

# 'users' is the group in *group* parameter
hadoop.proxyuser.hive.groups => 'hive,users'
hadoop.proxyuser.hive.hosts  => '*'

Users need to have access to warehouse directory. Group is set to users by default. Other addons (like impala) need to be in the users group too!

Another way could be to add users to hive group and use that group instead (more simple, but less secure).


Authorization by sentry. Used when sentry_hostname is not specified.

Hive itself runs under 'hive' user. Hadoop and Hive must have enabed security.

Warehouse directory must have 'hive' group ownership. It is set by the puppet module by default.

###Multihome Support

Multihome is supported by Hive out-of-the-box.

<a name="defaultfs" ###Changing defaultFS (converting non-HA cluster, ...)

Changing defaultFS can be needed when, for example:

  • changing Hadoop cluster name
  • using cluster name because of converting non-HA cluster to High Availability

But existing objects in Hive schema are using the old URL with previous defaultFS and needs to be converted.

Getting the old URL:

hive --service metatool -listFSRoot 2>/dev/null

Convert (you can try testing run first using --dryRun):

hive --service metatool -updateLocation ${NEW_URL} ${OLD_URL} --dryRun
hive --service metatool -updateLocation ${NEW_URL} ${OLD_URL}

###Cluster with more HDFS Name nodes

If there are used more HDFS namenodes in the Hadoop cluster (high availability, namespaces, ...), it is needed to have 'hive' system user on all of them to authorization work properly. You could install full Hive client (using hive::frontend::install), but just creating the user is enough (using hive::user).

Note, the hive::hdfs class must be used too, but only on one of the HDFS namenodes. It includes the hive::user.


  include hive::hdfs

  include hive::user


The best way is to refresh configurations from the new original (=remove the old) and relaunch puppet on top of it. There is also needed to update schema using schematool or upgrade scripts in /usr/lib/hive/scripts/metastore/upgrade/DATABASE/.

For example (using mysql, from Hive 0.13.0):

mv /etc/{d}$/conf.${alternative} /etc/${d}/conf.cdhXXX
update-alternatives --auto ${d}-conf

# upgrade

# metadata schema upgrade
mysqldump --opt metastore > metastore-backup.sql
mysqldump --skip-add-drop-table --no-data metastore > my-schema-backup.mysql.sql
/usr/lib/hive/bin/schematool -dbType mysql -upgradeSchemaFrom 0.13.0 -userName root -passWord MYSQL_ROOT_PASSWORD

puppet agent --test
#or: puppet apply ...



  • hive: The main configuration class for Apache Hive
  • hive::hbase: Client Support for HBase
  • hive::hdfs: HDFS initialiations
  • hive::params
  • hive::service
  • common:
  • hive::common::config
  • hive::common::daemon
  • hive::common::postinstall
  • hive::frontend: Hive Client
  • hive::frontend::config
  • hive::frontend::install
  • hive::hcatalog: Hive HCatalog Client
  • hive::hcatalog::config
  • hive::hcatalog::install
  • hive::metastore: Hive Metastore
  • hive::metastore::config
  • hive::metastore::install
  • hive::metastore::db
  • hive::metastore::service
  • hive::server2: Hive Server
  • hive::server2::config
  • hive::server2::install
  • hive::server2::service
  • hive::user: Create hive system user, if needed
  • hive::worker: Hive support at the worker node


  • hive_schemas: database schema file for each database backend

###hive class


Hive config directory. Default: '/etc/hive/conf' or '/etc/hive'.


Hive group on HDFS. Default: 'users' (without sentry), 'hive' (with sentry).

For Hive impersonation (without sentry) is expected all users belong to the specified group.

It is not updated when changed, you should remove the /var/lib/hadoop-hdfs/.puppet-hive-dir-created file when changing or update group of /user/hive on HDFS.


HDFS hostname (or defaultFS value), if different from core-site.xml Hadoop file. Default: undef.

It is recommended to have the core-site.xml file instead. core-site.xml will be created when installing any Hadoop component or if you include hadoop::common::config class.


Hive keytab file. Default: '/etc/security/keytab/hive.service.keytab'.

Only used with security (realm parameter).


Puppet source for keytab file. Default: undef.

When specified, the Hive keytab file is created using this puppet source(s). Otherwise only persmissions are set on the keytab file.

Only used with security (realm parameter).


Hostname of the metastore server. Default: undef.

When specified, remote mode is activated (recommended).


Hive Kerberos principal. Default: '::default' (="hive/_HOST@${hive::realm}").


Hostname of the (external) Sentry service. Default: undef.

Non-empty value will enable Hive settings needed to use Sentry authorization service.

When sentry is enabled, you will need also hive user added to allowed.system.users in Hadoop YARN containers.


Hostname of the Hive server. Default: undef.

Used only for hivemanager script.


Array of zookeeper hostnames quorum. Default: undef.

Used for lock management (recommended).


Zookeeper port, if different from the default (2181). Default: undef.


Kerberos realm. Default: ''.

Empty string disables the security.

When security is enabled, you also need either Sentry service (sentry_hostname parameter) or proxyuser properties to Hadoop cluster for Hive impersonation. See Enable Security.


Additional properties. Default: undef.


Descriptions for the additional properties. Default: undef.


Switches the alternatives used for the configuration. Default: 'cluster' (Debian) or undef.

Use it only when supported (for example with Cloudera distribution).


Enables database setup (if suported). Default: true.


Database behind the metastore. Default: undef.

The default is embedded database (derby), but it is recommended to use proper database.


  • derby (default): embedded database
  • mysql: MySQL/MariaDB,
  • postgresql: PostgreSQL


Database hostname for mysql, postgresql, and oracle. Default: 'localhost'.

It can be overridden by javax.jdo.option.ConnectionURL property.


Database name for mysql and postgresql. Default: 'metastore'.

For oracle 'xe' schema is used. Can be overridden by javax.jdo.option.ConnectionURL property.


Database user for mysql, postgresql, and oracle. Default: 'hive'.


Database password for mysql, postgresql, and oracle. Default: undef.


Enable additional features. Default: {}.


  • manager - script in /usr/local to start/stop Hive daemons relevant for given node


Hive directory with database schemas. Default: undef (/usr/lib/hive/scripts/metastore/upgrade).


Hive database schema file. Default: undef (autodetect).

Autodetection requires puppet configured with stringify_facts=false. But the value can be set directly instead (for example hive-schema-2.1.1.mysql.sql).


Idea in this module is to do only one thing - setup Hive SW - and not limit generic usage of this module by doing other stuff. You can have your own repository with Hadoop SW, you can select which Kerberos implementation to use, or Java version.

On other hand this leads to some limitations as mentioned in Setup Requirements section and usage is more complicated - you may need site-specific puppet module together with this one, like cesnet-site_hadoop.

For database there are used puppetlabs-mysql and puppetlabs-postgresql modules, but they are not in dependencies. You can disable database setup altogether with database_setup_enable parameter.