Choose the endpoint protocol

Your Dataproc Metastore service provides client access to the stored Hive metastore metadata by using an endpoint protocol.

You can choose the endpoint protocol for your Dataproc Metastore service to match your communication preference. You can choose between Apache Thrift or gRPC.

Thrift is the legacy endpoint protocol, and therefore is the default option. gRPC is more secure and allows you to use federated integrations with other Google Cloud products.

gRPC network configuration

You don't need to configure shared VPC or set network configurations for gRPC-based services since the gRPC endpoint can be reached from any VPC. The exception is when the project containing the service is in a VPC-SC service perimeter, in which case the endpoint can be reached from any VPC belonging to projects in the perimeter.

Choose the endpoint protocol for a new and existing Dataproc Metastore service

You can choose the endpoint protocol for your Dataproc Metastore service when you create or update it using the Google Cloud console.

Choose the endpoint protocol for a new service

To choose the endpoint protocol for a new service:

Console

  1. In the console, open the Dataproc Metastore page:

    Open Dataproc Metastore in the console

  2. At the top of the Dataproc Metastore page, click the Create button. The Create service page opens.

  3. Configure your service as desired.

  4. Under Endpoint protocol, select Thrift or gRPC. Thrift is the default endpoint protocol.

  5. Click Submit.

gcloud

  1. Run the following gcloud beta metastore services create command:

    gcloud beta metastore services create SERVICE \
       --endpoint-protocol=ENDPOINT_PROTOCOL ; default="thrift"
    

    Replace the following:

    • SERVICE: a name for your new service
    • ENDPOINT_PROTOCOL: the protocol to use for the metastore service endpoint. You can specify either thrift or grpc.
  2. Verify that the creation was successful.

Choose the endpoint protocol for an existing service

To choose the endpoint protocol for an existing service:

Console

  1. In the console, open the Dataproc Metastore page:

    Open Dataproc Metastore in the console

  2. On the Dataproc Metastore page, click the service name of the service you'd like to update. The Service detail page for that service opens.

  3. Under the Configuration tab, click the Edit button. The Edit service page opens.

  4. In the Endpoint protocol section, update your selection between Thrift or gRPC.

  5. Click the Submit button to update the service.

gcloud

  1. Run the following gcloud beta metastore services update command:

    gcloud beta metastore services update SERVICE \
       --endpoint-protocol=ENDPOINT_PROTOCOL
    

    Replace the following:

    • SERVICE: the name of your service
    • ENDPOINT_PROTOCOL: the protocol to use for the metastore service endpoint. You can specify either thrift or grpc.
  2. Verify that the update was successful.

After choosing the endpoint protocol

For gRPC-enabled services, access to the stored metadata is protected by IAM permissions on databases and tables. The roles are:

  • roles/metastore.metadataViewer: read-only access to metadata and metadata IAM policies
  • roles/metastore.metadataEditor: read-write access to metadata. read-only access to metadata IAM policies
  • roles/metastore.metadataOwner: read-write access to metadata. read-write access to metadata IAM policies

You must set IAM policy to grant access to the resources. Use setIamPolicy and getIamPolicies to give metastore.databases and metastore.tables permissions.

Set IAM policy to grant metadata roles

The following instructions demonstrate how to grant metadata roles at the database and table level.

gcloud

  • For database level access:

    Run the following gcloud metastore services databases command to grant metadata roles at the database level:

    gcloud beta metastore services databases add-iam-policy-binding --project PROJECT --location LOCATION --service SERVICE_ID DATABASE_ID --role roles/metastore.metadataViewer --member="EMAIL_ID"
    
  • For table level access:

    Run the following gcloud metastore services databases tables command to grant metadata roles at the table level:

    gcloud beta metastore services databases tables add-iam-policy-binding --project PROJECT --location LOCATION --service SERVICE_ID --database DATABASE_ID TABLE_ID --role roles/metastore.metadataViewer --member="EMAIL_ID"
    

What's next