Page MenuHomePhabricator
Create Task
Maniphest T425673

Enable Ceph S3 locations for Hive Metastore tables
Open, Needs TriagePublic
Actions

Description

Hive Metastore should be configured with credentials and endpoint settings for our Ceph RGW S3 service so that tables with s3a:// locations can be registered through the standard Hive catalog. Currently, CREATE EXTERNAL TABLE ... LOCATION 's3a://...' fails because the metastore's own JVM tries to validate the location via FileSystem.get() and has no AWS credentials provider, S3A endpoint, or SSL config available — even though client-side Spark sessions are correctly configured and can read/write the bucket directly. Concretely, this would mean adding the relevant fs.s3a.* properties (credentials provider, access/secret key, endpoint, path.style.access, connection.ssl.enabled) to the metastore's hive-site.xml or core-site.xml, and ensuring hadoop-aws is on its classpath.

The use case is enabling Iceberg and plain external tables backed by Ceph S3 to be registered in the shared Hive catalog so they're discoverable alongside HDFS-backed tables, rather than requiring a separate Iceberg Hadoop catalog per user or project. An example notebook illustrating the working client-side Spark setup and the resulting metastore error.

Related Objects
Search...

Event Timeline

fkaelin created this task.May 7 2026, 1:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 7 2026, 1:31 PM
Ottomata added a project: Data-Platform-SRE.May 7 2026, 1:36 PM
Ottomata added subscribers: BTullis, JAllemandou.
BTullis added a subtask: T381416: Do performance testing of a big Hadoop Table hosted by Ceph.Tue, May 12, 8:51 AM
Gehel edited projects, added: Data-Platform-SRE (2026-04-24 - 2026-05-15); removed: Data-Platform-SRE.Tue, May 19, 1:04 PM
Gehel subscribed.

We need to have a security model before moving too far along. This is very much part of our general strategy, we just need to make sure we don't paint ourselves in a corner.

Blocked until we have a security model.

Gehel moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2026-04-24 - 2026-05-15) board.Tue, May 19, 1:04 PM
fkaelin added a comment.Tue, May 19, 1:30 PM

Thanks for the update, can we link to the phab for the security model?

Ahoelzl moved this task from Incoming (new tickets) to Backlog on the Data-Engineering board.Wed, Jun 3, 6:56 PM
BTullis added a parent task: T428255: Define a comprehensive security model for the Data Platform S3/Ceph services.Fri, Jun 5, 12:50 PM
Gehel edited projects, added: Data-Platform-SRE (2026-06-05 - 2026-06-26); removed: Data-Platform-SRE (2026-04-24 - 2026-05-15).Fri, Jun 5, 1:28 PM
Gehel moved this task from Backlog - project to Blocked/Waiting on the Data-Platform-SRE (2026-06-05 - 2026-06-26) board.
JAllemandou mentioned this in T428237: [NEEDS GROOMING] data-reload: spark processing jobs need to be orchestrated in the wikidata dag..Mon, Jun 8, 9:28 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits