Your Dataproc Metastore service provides client access to the stored Hive metastore metadata by using an endpoint protocol.
You can choose the endpoint protocol for your Dataproc Metastore service to match your communication preference. You can choose between Apache Thrift or gRPC.
Thrift is the legacy endpoint protocol, and therefore is the default option. gRPC is more secure and allows you to use federated integrations with other Google Cloud products.
gRPC network configuration
You don't need to configure shared VPC or set network configurations for gRPC-based services since the gRPC endpoint can be reached from any VPC. The exception is when the project containing the service is in a VPC-SC service perimeter, in which case the endpoint can be reached from any VPC belonging to projects in the perimeter.
Choose the endpoint protocol for a new and existing Dataproc Metastore service
You can choose the endpoint protocol for your Dataproc Metastore service when you create or update it using the Google Cloud console.
Choose the endpoint protocol for a new service
To choose the endpoint protocol for a new service:
Console
In the console, open the Dataproc Metastore page:
At the top of the Dataproc Metastore page, click the Create button. The Create service page opens.
Configure your service as desired.
Under Endpoint protocol, select Thrift or gRPC. Thrift is the default endpoint protocol.
Click Submit.
gcloud
Run the following
gcloud beta metastore services createcommand:gcloud beta metastore services create SERVICE \ --endpoint-protocol=ENDPOINT_PROTOCOL ; default="thrift"
Replace the following:
SERVICE: a name for your new serviceENDPOINT_PROTOCOL: the protocol to use for the metastore service endpoint. You can specify eitherthriftorgrpc.
Verify that the creation was successful.
Choose the endpoint protocol for an existing service
To choose the endpoint protocol for an existing service:
Console
In the console, open the Dataproc Metastore page:
On the Dataproc Metastore page, click the service name of the service you'd like to update. The Service detail page for that service opens.
Under the Configuration tab, click the Edit button. The Edit service page opens.
In the Endpoint protocol section, update your selection between Thrift or gRPC.
Click the Submit button to update the service.
gcloud
Run the following
gcloud beta metastore services updatecommand:gcloud beta metastore services update SERVICE \ --endpoint-protocol=ENDPOINT_PROTOCOL
Replace the following:
SERVICE: the name of your serviceENDPOINT_PROTOCOL: the protocol to use for the metastore service endpoint. You can specify eitherthriftorgrpc.
Verify that the update was successful.
After choosing the endpoint protocol
For gRPC-enabled services, access to the stored metadata is protected by IAM permissions on databases and tables. The roles are:
roles/metastore.metadataViewer: read-only access to metadata and metadata IAM policiesroles/metastore.metadataEditor: read-write access to metadata. read-only access to metadata IAM policiesroles/metastore.metadataOwner: read-write access to metadata. read-write access to metadata IAM policies
You must set IAM policy to grant access to the resources. Use
setIamPolicy and getIamPolicies to give metastore.databases and
metastore.tables permissions.
Set IAM policy to grant metadata roles
The following instructions demonstrate how to grant metadata roles at the database and table level.
gcloud
For database level access:
Run the following
gcloud metastore services databasescommand to grant metadata roles at the database level:gcloud beta metastore services databases add-iam-policy-binding --project PROJECT --location LOCATION --service SERVICE_ID DATABASE_ID --role roles/metastore.metadataViewer --member="EMAIL_ID"
For table level access:
Run the following
gcloud metastore services databases tablescommand to grant metadata roles at the table level:gcloud beta metastore services databases tables add-iam-policy-binding --project PROJECT --location LOCATION --service SERVICE_ID --database DATABASE_ID TABLE_ID --role roles/metastore.metadataViewer --member="EMAIL_ID"