HIVE-28775: HiveServer2: enabling HA Leader endpoint on a different port than WebUI

Author: Dmitriy Fingerman

common/src/java/org/apache/hadoop/hive/conf/HiveConf.java

@@ -3979,6 +3979,8 @@ public static enum ConfVars {
     HIVE_SERVER2_WEBUI_BIND_HOST("hive.server2.webui.host", "0.0.0.0", "The host address the HiveServer2 WebUI will listen on"),
     HIVE_SERVER2_WEBUI_PORT("hive.server2.webui.port", 10002, "The port the HiveServer2 WebUI will listen on. This can be"
         + "set to 0 or a negative integer to disable the web UI"),
+    HIVE_SERVER2_HEALTH_HA_PORT("hive.server2.health.ha.port", 11002, "The port the HiveServer2 health-ha web app will listen on. This can be"
+        + "set to 0 or a negative integer to disable HS2 health-ha checking"),
     HIVE_SERVER2_WEBUI_MAX_THREADS("hive.server2.webui.max.threads", 50, "The max HiveServer2 WebUI threads"),
     HIVE_SERVER2_WEBUI_USE_SSL("hive.server2.webui.use.ssl", false,
         "Set this to true for using SSL encryption for HiveServer2 WebUI."),

common/src/java/org/apache/hive/http/HttpServer.java

@@ -82,15 +82,17 @@
 import org.eclipse.jetty.security.ConstraintMapping;
 import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.security.LoginService;
-import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.LowResourceMonitor;
+import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.server.handler.ContextHandler.Context;
 import org.eclipse.jetty.server.handler.ContextHandlerCollection;
 import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.handler.HandlerCollection;
 import org.eclipse.jetty.servlet.DefaultServlet;
 import org.eclipse.jetty.servlet.FilterHolder;
 import org.eclipse.jetty.servlet.FilterMapping;
@@ -138,6 +140,8 @@ public class HttpServer {
   private String appDir;
   private WebAppContext webAppContext;
   private Server webServer;
+  private QueuedThreadPool threadPool;
+  private PortHandlerWrapper portHandlerWrapper;
 
   /**
    * Create a status server on the given port.
@@ -179,6 +183,7 @@ public static class Builder {
         new LinkedList<Pair<String, Class<? extends HttpServlet>>>();
     private boolean disableDirListing = false;
     private final Map<String, Pair<String, Filter>> globalFilters = new LinkedHashMap<>();
+    private String contextPath;
 
     public Builder(String name) {
       Preconditions.checkArgument(name != null && !name.isEmpty(), "Name must be specified");
@@ -189,6 +194,10 @@ public HttpServer build() throws IOException {
       return new HttpServer(this);
     }
 
+    public void setContextPath(String contextPath) {
+      this.contextPath = contextPath;
+    }
+
     public Builder setConf(HiveConf origConf) {
       this.conf = new HiveConf(origConf);
       origConf.stripHiddenConfigurations(conf);
@@ -489,13 +498,13 @@ static boolean userHasAdministratorAccess(ServletContext servletContext,
   /**
    * Create the web context for the application of specified name
    */
-  WebAppContext createWebAppContext(Builder b) {
+  WebAppContext createWebAppContext(Builder b) throws FileNotFoundException {
     WebAppContext ctx = new WebAppContext();
     setContextAttributes(ctx.getServletContext(), b.contextAttrs);
     ctx.getServletContext().getSessionCookieConfig().setHttpOnly(true);
     ctx.setDisplayName(b.name);
-    ctx.setContextPath("/");
-    ctx.setWar(appDir + "/" + b.name);
+    ctx.setContextPath(b.contextPath == null ? "/" : b.contextPath);
+    ctx.setWar(getWebAppsPath(b.name) + "/" + b.name);
     return ctx;
   }
 
@@ -519,8 +528,9 @@ void setupSpnegoFilter(Builder b, ServletContextHandler ctx) throws IOException
   /**
    * Setup cross-origin requests (CORS) filter.
    * @param b - builder
+   * @param webAppContext - webAppContext
    */
-  private void setupCORSFilter(Builder b) {
+  private void setupCORSFilter(Builder b, WebAppContext webAppContext) {
     FilterHolder holder = new FilterHolder();
     holder.setClassName(CrossOriginFilter.class.getName());
     Map<String, String> params = new HashMap<>();
@@ -533,10 +543,62 @@ private void setupCORSFilter(Builder b) {
     handler.addFilterWithMapping(holder, "/*", FilterMapping.ALL);
   }
 
+  public void addWebApp(Builder b) throws IOException {
+    WebAppContext webAppContext = createWebAppContext(b);
+    ContextHandlerCollection portHandler = new ContextHandlerCollection();
+    ServerConnector connector = addWebApp(b, webAppContext, portHandler);
+    portHandlerWrapper.addHandler(connector, portHandler);
+  }
+  
+  private ServerConnector addWebApp(Builder b, WebAppContext webAppContext, ContextHandlerCollection portHandler)
+      throws IOException {
+
+    if (b.useSPNEGO) {
+      // Secure the web server with kerberos
+      setupSpnegoFilter(b, webAppContext);
+    }
+
+    if (b.enableCORS) {
+      setupCORSFilter(b, webAppContext);
+    }
+
+    Map<String, String> xFrameParams = setHeaders();
+    if (b.xFrameEnabled) {
+      setupXframeFilter(b, xFrameParams, webAppContext);
+    }
+
+    if (b.disableDirListing) {
+      disableDirectoryListingOnServlet(webAppContext);
+    }
+
+    ServerConnector connector = createChannelConnector(threadPool.getQueueSize(), b);
+    webServer.addConnector(connector);
+
+    RewriteHandler rwHandler = new RewriteHandler();
+    rwHandler.setRewriteRequestURI(true);
+    rwHandler.setRewritePathInfo(false);
+
+    RewriteRegexRule rootRule = new RewriteRegexRule();
+    rootRule.setRegex("^/$");
+    rootRule.setReplacement(b.contextRootRewriteTarget);
+    rootRule.setTerminating(true);
+
+    rwHandler.addRule(rootRule);
+    rwHandler.setHandler(webAppContext);
+
+    portHandler.addHandler(rwHandler);
+
+    for (Pair<String, Class<? extends HttpServlet>> p : b.servlets) {
+      addServlet(p.getFirst(), "/" + p.getFirst(), p.getSecond(), webAppContext);
+    }
+    
+    return connector;
+  }
+  
   /**
    * Create a channel connector for "http/https" requests
    */
-  Connector createChannelConnector(int queueSize, Builder b) {
+  ServerConnector createChannelConnector(int queueSize, Builder b) {
     ServerConnector connector;
 
     final HttpConfiguration conf = new HttpConfiguration();
@@ -604,7 +666,7 @@ void setContextAttributes(Context ctx, Map<String, Object> contextAttrs) {
 
   private void createWebServer(final Builder b) throws IOException {
     // Create the thread pool for the web server to handle HTTP requests
-    QueuedThreadPool threadPool = new QueuedThreadPool();
+    threadPool = new QueuedThreadPool();
     if (b.maxThreads > 0) {
       threadPool.setMaxThreads(b.maxThreads);
     }
@@ -615,59 +677,29 @@ private void createWebServer(final Builder b) throws IOException {
     this.appDir = getWebAppsPath(b.name);
     this.webAppContext = createWebAppContext(b);
 
-    if (b.useSPNEGO) {
-      // Secure the web server with kerberos
-      setupSpnegoFilter(b, webAppContext);
-    }
-
-    if (b.enableCORS) {
-      setupCORSFilter(b);
-    }
-
-    Map<String, String> xFrameParams = setHeaders();
-    if (b.xFrameEnabled) {
-      setupXframeFilter(b,xFrameParams);
-    }
-
-    if (b.disableDirListing) {
-      disableDirectoryListingOnServlet(webAppContext);
-    }
-
-    initializeWebServer(b, threadPool.getMaxThreads());
+    initializeWebServer(b);
   }
 
-  private void initializeWebServer(final Builder b, int queueSize) throws IOException {
+  private void initializeWebServer(final Builder b) throws IOException {
     // Set handling for low resource conditions.
     final LowResourceMonitor low = new LowResourceMonitor(webServer);
     low.setLowResourcesIdleTimeout(10000);
     webServer.addBean(low);
 
-    Connector connector = createChannelConnector(queueSize, b);
-    webServer.addConnector(connector);
-
-    RewriteHandler rwHandler = new RewriteHandler();
-    rwHandler.setRewriteRequestURI(true);
-    rwHandler.setRewritePathInfo(false);
-
-    RewriteRegexRule rootRule = new RewriteRegexRule();
-    rootRule.setRegex("^/$");
-    rootRule.setReplacement(b.contextRootRewriteTarget);
-    rootRule.setTerminating(true);
-
-    rwHandler.addRule(rootRule);
-    rwHandler.setHandler(webAppContext);
-
-    // Configure web application contexts for the web server
-    ContextHandlerCollection contexts = new ContextHandlerCollection();
-    contexts.addHandler(rwHandler);
-    webServer.setHandler(contexts);
-
+    // Configure the global context handler collection for the web server
+    portHandlerWrapper = new PortHandlerWrapper();
+    webServer.setHandler(portHandlerWrapper);
+    
+    ContextHandlerCollection portHandler = new ContextHandlerCollection();
+    portHandler.addHandler(webAppContext);
+    ServerConnector connector = addWebApp(b, webAppContext, portHandler);
+    
+    portHandlerWrapper.addHandler(connector, portHandler);
 
     if (b.usePAM) {
-      setupPam(b, contexts);
+      setupPam(b, portHandlerWrapper);
     }
 
-
     addServlet("jmx", "/jmx", JMXJsonServlet.class);
     addServlet("conf", "/conf", ConfServlet.class);
     addServlet("stacks", "/stacks", StackServlet.class);
@@ -679,8 +711,7 @@ private void initializeWebServer(final Builder b, int queueSize) throws IOExcept
       if (Files.notExists(tmpDir)) {
         Files.createDirectories(tmpDir);
       }
-      ServletContextHandler genCtx =
-        new ServletContextHandler(contexts, "/prof-output");
+      ServletContextHandler genCtx = new ServletContextHandler(portHandler, "/prof-output");
       setContextAttributes(genCtx.getServletContext(), b.contextAttrs);
       genCtx.addServlet(ProfileOutputServlet.class, "/*");
       genCtx.setResourceBase(tmpDir.toAbsolutePath().toString());
@@ -689,23 +720,17 @@ private void initializeWebServer(final Builder b, int queueSize) throws IOExcept
       LOG.info("ASYNC_PROFILER_HOME env or -Dasync.profiler.home not specified. Disabling /prof endpoint..");
     }
 
-    for (Pair<String, Class<? extends HttpServlet>> p : b.servlets) {
-      addServlet(p.getFirst(), "/" + p.getFirst(), p.getSecond());
-    }
-
     b.globalFilters.forEach((k, v) -> addFilter(k, v.getFirst(), v.getSecond(), webAppContext.getServletHandler()));
 
-    ServletContextHandler staticCtx =
-      new ServletContextHandler(contexts, "/static");
+    ServletContextHandler staticCtx = new ServletContextHandler(portHandler, "/static");
     staticCtx.setResourceBase(appDir + "/static");
     staticCtx.addServlet(DefaultServlet.class, "/*");
     staticCtx.setDisplayName("static");
     disableDirectoryListingOnServlet(staticCtx);
 
     String logDir = getLogDir(b.conf);
     if (logDir != null) {
-      ServletContextHandler logCtx =
-        new ServletContextHandler(contexts, "/logs");
+      ServletContextHandler logCtx = new ServletContextHandler(portHandler, "/logs");
       setContextAttributes(logCtx.getServletContext(), b.contextAttrs);
       if(b.useSPNEGO) {
         setupSpnegoFilter(b,logCtx);
@@ -716,7 +741,7 @@ private void initializeWebServer(final Builder b, int queueSize) throws IOExcept
     }
 
     // Define the global filers for each servlet context except the staticCtx(css style).
-    Optional<Handler[]> handlers = Optional.ofNullable(contexts.getHandlers());
+    Optional<Handler[]> handlers = Optional.ofNullable(portHandler.getHandlers());
     handlers.ifPresent(hs -> Arrays.stream(hs)
         .filter(h -> h instanceof ServletContextHandler && !"static".equals(((ServletContextHandler) h).getDisplayName()))
         .forEach(h -> b.globalFilters.forEach((k, v) ->
@@ -748,7 +773,7 @@ private Map<String, String> getDefaultHeaders() {
     return headers;
   }
 
-  private void setupXframeFilter(Builder b, Map<String, String> params) {
+  private void setupXframeFilter(Builder b, Map<String, String> params, WebAppContext webAppContext) {
     FilterHolder holder = new FilterHolder();
     holder.setClassName(QuotingInputFilter.class.getName());
     holder.setInitParameters(params);
@@ -811,6 +836,15 @@ public void addServlet(String name, String pathSpec,
     webAppContext.addServlet(holder, pathSpec);
   }
 
+  private void addServlet(String name, String pathSpec, Class<? extends HttpServlet> clazz,
+      WebAppContext webAppContext) {
+    ServletHolder holder = new ServletHolder(clazz);
+    if (name != null) {
+      holder.setName(name);
+    }
+    webAppContext.addServlet(holder, pathSpec);
+  }
+
   public void addServlet(String name, String pathSpec, ServletHolder holder) {
     if (name != null) {
       holder.setName(name);
@@ -1026,4 +1060,32 @@ private void initHttpHeaderMap() {
     }
   }
 
+  class PortHandlerWrapper extends ContextHandlerCollection {
+
+    private final Map<ServerConnector, HandlerCollection> connectorToHandlerMap = new HashMap<>();
+
+    public PortHandlerWrapper() {
+    }
+    
+    public void addHandler(ServerConnector connector, HandlerCollection handler) {
+      connectorToHandlerMap.put(connector, handler);
+      addHandler(handler);
+    }
+
+    @Override
+    public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+      // Determine the connector (port) the request came through
+      int port = request.getServerPort();
+
+      // Find the handler for the corresponding port
+      Handler handler = connectorToHandlerMap.entrySet().stream()
+          .filter(entry -> entry.getKey().getPort() == port)
+          .map(Map.Entry::getValue)
+          .findFirst()
+          .orElseThrow(() -> new IllegalStateException("No handler found for port " + port));
+
+      // Delegate the request to the handler
+      handler.handle(target, baseRequest, request, response);
+    }
+  }
 }

data/conf/hive-site.xml

@@ -358,7 +358,7 @@
 
   <property>
     <name>hive.server2.webui.max.threads</name>
-    <value>4</value>
+    <value>6</value>
   </property>
 
   <property>

data/conf/mr/hive-site.xml

@@ -354,7 +354,7 @@
 
   <property>
     <name>hive.server2.webui.max.threads</name>
-    <value>4</value>
+    <value>6</value>
   </property>
 
   <property>

itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestActivePassiveHA.java

@@ -139,6 +139,72 @@ private static void setHAConfigs(Configuration conf) {
     conf.setInt(ConfVars.HIVE_ZOOKEEPER_CONNECTION_MAX_RETRIES.varname, 1);
   }
 
+  @Test(timeout = 60000)
+  public void testHealthCheckHA() throws Exception {
+    String instanceId1 = UUID.randomUUID().toString();
+    miniHS2_1.start(getConfOverlay(instanceId1));
+
+    String leaderURL = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
+    String healthCheckURL = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+
+    String leaderURLHealthCheckPort = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/leader";
+    String healthCheckURLWebUIPort = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/health-ha/leader";
+    
+    assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
+    assertEquals(true, miniHS2_1.isLeader());
+
+    assertEquals("true", sendGet(leaderURL));
+    assertEquals("true", sendGet(healthCheckURL));
+
+    assertEquals("Not Found", sendGet(leaderURLHealthCheckPort));
+    assertEquals("Not Found", sendGet(healthCheckURLWebUIPort));
+  }
+
+  @Test(timeout = 60000)
+  public void testHealthCheckHAAuth() throws Exception {
+    hiveConf1.setBoolVar(ConfVars.HIVE_SERVER2_WEBUI_ENABLE_CORS, true);
+    setPamConfs(hiveConf1);
+    PamAuthenticator pamAuthenticator = new TestHS2HttpServerPam.TestPamAuthenticator(hiveConf1);
+    String instanceId1 = UUID.randomUUID().toString();
+    miniHS2_1.setPamAuthenticator(pamAuthenticator);
+    miniHS2_1.start(getSecureConfOverlay(instanceId1));
+
+    String leaderURL = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
+    String healthCheckURL = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+
+    String leaderURLHealthCheckPort = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/leader";
+    String healthCheckURLWebUIPort = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/health-ha/leader";
+
+    assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
+    assertEquals(true, miniHS2_1.isLeader());
+
+    assertEquals("true", sendGet(leaderURL, true, true));
+    assertEquals("true", sendGet(healthCheckURL, true, true));
+
+    try {
+      sendGet(leaderURLHealthCheckPort, true, true);
+    } catch (AssertionError e) {
+      assertTrue(e.getMessage().contains("Not Found"));
+    } catch (Exception e) {
+      fail("Expected AssertionError");
+    }
+
+    assertEquals("Not Found", sendGet(healthCheckURLWebUIPort, true, true));
+    assertEquals("Method Not Allowed", sendDelete(healthCheckURL, true, true));
+    assertEquals("Method Not Allowed", sendDelete(healthCheckURLWebUIPort, true, true));
+
+    try {
+      sendDelete(leaderURLHealthCheckPort, true, true);
+    } catch (AssertionError e) {
+      assertTrue(e.getMessage().contains("Not Found"));
+    } catch (Exception e) {
+      fail("Expected AssertionError");
+    }
+
+    String resp = sendDelete(leaderURL, true, true);
+    assertTrue(resp.contains("Failover successful!"));
+  }
+
   @Test(timeout = 60000)
   public void testActivePassiveHA() throws Exception {
     String instanceId1 = UUID.randomUUID().toString();
@@ -150,10 +216,14 @@ public void testActivePassiveHA() throws Exception {
     assertEquals(true, miniHS2_1.isLeader());
     String url = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
     assertEquals("true", sendGet(url));
+    String healthCheckURL = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+    assertEquals("true", sendGet(healthCheckURL));
 
     assertEquals(false, miniHS2_2.isLeader());
     url = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
     assertEquals("false", sendGet(url));
+    healthCheckURL = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+    assertEquals("false", sendGet(healthCheckURL));
 
     url = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/peers";
     String resp = sendGet(url);
@@ -192,6 +262,8 @@ public void testActivePassiveHA() throws Exception {
     assertEquals(true, miniHS2_2.isLeader());
     url = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
     assertEquals("true", sendGet(url));
+    healthCheckURL = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+    assertEquals("true", sendGet(healthCheckURL));
 
     while (client.getAll().size() != 1) {
       Thread.sleep(100);
@@ -233,6 +305,8 @@ public void testActivePassiveHA() throws Exception {
     assertEquals(false, miniHS2_1.isLeader());
     url = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
     assertEquals("false", sendGet(url));
+    healthCheckURL = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+    assertEquals("false", sendGet(healthCheckURL));
 
     while (client.getAll().size() != 2) {
       Thread.sleep(100);
@@ -282,10 +356,14 @@ public void testConnectionActivePassiveHAServiceDiscovery() throws Exception {
     assertEquals(true, miniHS2_1.isLeader());
     String url = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
     assertEquals("true", sendGet(url));
+    String healthCheckURL = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+    assertEquals("true", sendGet(healthCheckURL));
 
     assertEquals(false, miniHS2_2.isLeader());
     url = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
     assertEquals("false", sendGet(url));
+    healthCheckURL = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+    assertEquals("false", sendGet(healthCheckURL));
 
     // miniHS2_1 will be leader
     String zkConnectString = zkServer.getConnectString();
@@ -347,11 +425,14 @@ public void testManualFailover() throws Exception {
       miniHS2_2.start(confOverlay);
       String url1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
       String url2 = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
+      String healthCheckURL1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+      String healthCheckURL2 = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
 
       // when we start miniHS2_1 will be leader (sequential start)
       assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_1.isLeader());
       assertEquals("true", sendGet(url1, true, true));
+      assertEquals("true", sendGet(healthCheckURL1, true, true));
 
       // trigger failover on miniHS2_1
       String resp = sendDelete(url1, true, true);
@@ -361,11 +442,13 @@ public void testManualFailover() throws Exception {
       assertEquals(true, miniHS2_1.getNotLeaderTestFuture().get());
       assertEquals(false, miniHS2_1.isLeader());
       assertEquals("false", sendGet(url1, true, true));
+      assertEquals("false", sendGet(healthCheckURL1, true, true));
 
       // make sure miniHS2_2 is the new leader
       assertEquals(true, miniHS2_2.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_2.isLeader());
       assertEquals("true", sendGet(url2, true, true));
+      assertEquals("true", sendGet(healthCheckURL2, true, true));
 
       // send failover request again to miniHS2_1 and get a failure
       resp = sendDelete(url1, true, true);
@@ -379,8 +462,10 @@ public void testManualFailover() throws Exception {
       assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_1.isLeader());
       assertEquals("true", sendGet(url1, true, true));
+      assertEquals("true", sendGet(healthCheckURL1, true, true));
       assertEquals(true, miniHS2_2.getNotLeaderTestFuture().get());
       assertEquals("false", sendGet(url2, true, true));
+      assertEquals("false", sendGet(healthCheckURL2, true, true));
       assertEquals(false, miniHS2_2.isLeader());
     } finally {
       resetFailoverConfs();
@@ -404,10 +489,12 @@ public void testManualFailoverUnauthorized() throws Exception {
       miniHS2_2.start(confOverlay);
 
       String url1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
+      String healthCheckURL1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
       // when we start miniHS2_1 will be leader (sequential start)
       assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_1.isLeader());
       assertEquals("true", sendGet(url1, true));
+      assertEquals("true", sendGet(healthCheckURL1, true));
 
       // trigger failover on miniHS2_1 without authorization header
       assertTrue(sendDelete(url1, false).contains("Unauthorized"));
@@ -439,6 +526,7 @@ public void testNoConnectionOnPassive() throws Exception {
       miniHS2_2.setPamAuthenticator(pamAuthenticator2);
       miniHS2_2.start(confOverlay);
       String url1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
+      String healthCheckURL1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
       assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_1.isLeader());
 
@@ -454,6 +542,9 @@ public void testNoConnectionOnPassive() throws Exception {
         Thread.sleep(100);
       }
 
+      resp = sendDelete(healthCheckURL1, true);
+      assertTrue(resp, resp.contains("Method Not Allowed"));
+
       assertEquals(true, miniHS2_2.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_2.isLeader());
 
@@ -496,6 +587,8 @@ public void testClientConnectionsOnFailover() throws Exception {
       miniHS2_2.start(confOverlay);
       String url1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
       String url2 = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_WEBUI_PORT.varname) + "/leader";
+      String healthCheckUrl1 = "http://localhost:" + hiveConf1.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
+      String healthCheckUrl2 = "http://localhost:" + hiveConf2.get(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT.varname) + "/health-ha/leader";
       String zkJdbcUrl = miniHS2_1.getJdbcURL();
       String zkConnectString = zkServer.getConnectString();
       assertTrue(zkJdbcUrl.contains(zkConnectString));
@@ -504,6 +597,7 @@ public void testClientConnectionsOnFailover() throws Exception {
       assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_1.isLeader());
       assertEquals("true", sendGet(url1, true));
+      assertEquals("true", sendGet(healthCheckUrl1, true));
 
       // before failover, check if we are getting connection from miniHS2_1
       String hs2_1_directUrl = "jdbc:hive2://" + miniHS2_1.getHost() + ":" + miniHS2_1.getBinaryPort() +
@@ -523,15 +617,20 @@ public void testClientConnectionsOnFailover() throws Exception {
         Thread.sleep(100);
       }
 
+      resp = sendDelete(healthCheckUrl1, true);
+      assertTrue(resp.contains("Method Not Allowed"));
+      
       // make sure miniHS2_1 is not leader
       assertEquals(true, miniHS2_1.getNotLeaderTestFuture().get());
       assertEquals(false, miniHS2_1.isLeader());
       assertEquals("false", sendGet(url1, true));
+      assertEquals("false", sendGet(healthCheckUrl1, true));
 
       // make sure miniHS2_2 is the new leader
       assertEquals(true, miniHS2_2.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_2.isLeader());
       assertEquals("true", sendGet(url2, true));
+      assertEquals("true", sendGet(healthCheckUrl2, true));
 
       // when we make a new connection we should get it from miniHS2_2 this time
       String hs2_2_directUrl = "jdbc:hive2://" + miniHS2_2.getHost() + ":" + miniHS2_2.getHttpPort() +
@@ -555,8 +654,10 @@ public void testClientConnectionsOnFailover() throws Exception {
       assertEquals(true, miniHS2_1.getIsLeaderTestFuture().get());
       assertEquals(true, miniHS2_1.isLeader());
       assertEquals("true", sendGet(url1, true));
+      assertEquals("true", sendGet(healthCheckUrl1, true));
       assertEquals(true, miniHS2_2.getNotLeaderTestFuture().get());
       assertEquals("false", sendGet(url2, true));
+      assertEquals("false", sendGet(healthCheckUrl2, true));
       assertEquals(false, miniHS2_2.isLeader());
       // make sure miniHS2_2 closes all its connections
       while (miniHS2_2.getOpenSessionsCount() != 0) {

itests/util/src/main/java/org/apache/hive/jdbc/miniHS2/AbstractHiveService.java

@@ -36,15 +36,17 @@ public abstract class AbstractHiveService {
   private int binaryPort;
   private int httpPort;
   private int webPort;
+  private int healthHAPort;
   private boolean startedHiveService = false;
   private List<String> addedProperties = new ArrayList<String>();
 
-  public AbstractHiveService(HiveConf hiveConf, String hostname, int binaryPort, int httpPort, int webPort) {
+  public AbstractHiveService(HiveConf hiveConf, String hostname, int binaryPort, int httpPort, int webPort, int healthHAPort) {
     this.hiveConf = hiveConf;
     this.hostname = hostname;
     this.binaryPort = binaryPort;
     this.httpPort = httpPort;
     this.webPort = webPort;
+    this.healthHAPort = healthHAPort;
   }
 
   /**
@@ -142,6 +144,10 @@ public int getWebPort() {
     return webPort;
   }
 
+  public int getHealthHAPort() {
+    return healthHAPort;
+  }
+
   public boolean isStarted() {
     return startedHiveService;
   }

itests/util/src/main/java/org/apache/hive/jdbc/miniHS2/MiniHS2.java

@@ -292,6 +292,8 @@ private MiniHS2(HiveConf hiveConf, MiniClusterType miniClusterType, boolean useM
         (usePortsFromConf ? hiveConf.getIntVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_HTTP_PORT) : MetaStoreTestUtils
             .findFreePort()),
         (usePortsFromConf ? hiveConf.getIntVar(ConfVars.HIVE_SERVER2_WEBUI_PORT) : MetaStoreTestUtils
+            .findFreePort()),
+        (usePortsFromConf ? hiveConf.getIntVar(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT) : MetaStoreTestUtils
             .findFreePort()));
     hiveConf.setLongVar(ConfVars.HIVE_SERVER2_MAX_START_ATTEMPTS, 3l);
     hiveConf.setTimeVar(ConfVars.HIVE_SERVER2_SLEEP_INTERVAL_BETWEEN_START_ATTEMPTS, 10,
@@ -379,6 +381,7 @@ private MiniHS2(HiveConf hiveConf, MiniClusterType miniClusterType, boolean useM
     hiveConf.setIntVar(ConfVars.HIVE_SERVER2_THRIFT_PORT, getBinaryPort());
     hiveConf.setIntVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_PORT, getHttpPort());
     hiveConf.setIntVar(ConfVars.HIVE_SERVER2_WEBUI_PORT, getWebPort());
+    hiveConf.setIntVar(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT, getHealthHAPort());
 
     Path scratchDir = new Path(baseFsDir, "scratch");
     // Create root scratchdir with write all, so that user impersonation has no issues.

service/pom.xml

@@ -443,7 +443,11 @@
                 <taskdef classname="org.apache.jasper.JspC" name="jspcompiler" classpathref="maven.compile.classpath"/>
                 <mkdir dir="${build.webapps}/hiveserver2/WEB-INF"/>
                 <jspcompiler uriroot="${src.webapps}/hiveserver2" outputdir="${generated.sources}/java" package="org.apache.hive.generated.hiveserver2" webxml="${build.webapps}/hiveserver2/WEB-INF/web.xml"/>
-              </target>
+                <mkdir dir="${build.webapps}/leader/WEB-INF"/>
+                <copy todir="${build.webapps}/health-ha">
+                  <fileset dir="${src.webapps}/health-ha"/>
+                </copy>
+             </target>
             </configuration>
             <goals>
               <goal>run</goal>

service/src/java/org/apache/hive/service/server/HiveServer2.java

@@ -119,6 +119,7 @@
 import org.apache.hive.service.cli.thrift.ThriftBinaryCLIService;
 import org.apache.hive.service.cli.thrift.ThriftCLIService;
 import org.apache.hive.service.cli.thrift.ThriftHttpCLIService;
+import org.apache.hive.service.servlet.HS2HealthHAStatus;
 import org.apache.hive.service.servlet.HS2LeadershipStatus;
 import org.apache.hive.service.servlet.HS2Peers;
 import org.apache.hive.service.servlet.LDAPAuthenticationFilter;
@@ -402,90 +403,9 @@ public synchronized void init(HiveConf hiveConf) {
             // Set the default JspFactory to avoid NPE while opening the home page
             JspFactory.setDefaultFactory(new org.apache.jasper.runtime.JspFactoryImpl());
           }
-          HttpServer.Builder builder = new HttpServer.Builder("hiveserver2");
-          builder.setPort(webUIPort).setConf(hiveConf);
-          builder.setHost(webHost);
-          builder.setMaxThreads(
-            hiveConf.getIntVar(ConfVars.HIVE_SERVER2_WEBUI_MAX_THREADS));
-          builder.setAdmins(hiveConf.getVar(ConfVars.USERS_IN_ADMIN_ROLE));
-          // SessionManager is initialized
-          builder.setContextAttribute("hive.sm",
-            cliService.getSessionManager());
-          hiveConf.set("startcode",
-            String.valueOf(System.currentTimeMillis()));
-          if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_SSL)) {
-            String keyStorePath = hiveConf.getVar(
-              ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_PATH);
-            if (StringUtils.isBlank(keyStorePath)) {
-              throw new IllegalArgumentException(
-                ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_PATH.varname
-                  + " Not configured for SSL connection");
-            }
-            builder.setKeyStorePassword(ShimLoader.getHadoopShims().getPassword(
-              hiveConf, ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_PASSWORD.varname));
-            builder.setKeyStorePath(keyStorePath);
-            builder.setKeyStoreType(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_TYPE));
-            builder.setKeyManagerFactoryAlgorithm(
-                hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYMANAGERFACTORY_ALGORITHM));
-            builder.setExcludeCiphersuites(
-                hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_EXCLUDE_CIPHERSUITES));
-            builder.setUseSSL(true);
-          }
-          if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_SPNEGO)) {
-            String spnegoPrincipal = hiveConf.getVar(
-                ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_PRINCIPAL);
-            String spnegoKeytab = hiveConf.getVar(
-                ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_KEYTAB);
-            if (StringUtils.isBlank(spnegoPrincipal) || StringUtils.isBlank(spnegoKeytab)) {
-              throw new IllegalArgumentException(
-                ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_PRINCIPAL.varname
-                  + "/" + ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_KEYTAB.varname
-                  + " Not configured for SPNEGO authentication");
-            }
-            builder.setSPNEGOPrincipal(spnegoPrincipal);
-            builder.setSPNEGOKeytab(spnegoKeytab);
-            builder.setUseSPNEGO(true);
-          }
-          if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_ENABLE_CORS)) {
-            builder.setEnableCORS(true);
-            String allowedOrigins = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_ORIGINS);
-            String allowedMethods = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_METHODS);
-            String allowedHeaders = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_HEADERS);
-            if (StringUtils.isBlank(allowedOrigins) || StringUtils.isBlank(allowedMethods) || StringUtils.isBlank(allowedHeaders)) {
-              throw new IllegalArgumentException("CORS enabled. But " +
-                ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_ORIGINS.varname + "/" +
-                ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_METHODS.varname + "/" +
-                ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_HEADERS.varname + "/" +
-                " is not configured");
-            }
-            builder.setAllowedOrigins(allowedOrigins);
-            builder.setAllowedMethods(allowedMethods);
-            builder.setAllowedHeaders(allowedHeaders);
-            LOG.info("CORS enabled - allowed-origins: {} allowed-methods: {} allowed-headers: {}", allowedOrigins,
-              allowedMethods, allowedHeaders);
-          }
-          if(hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_XFRAME_ENABLED)){
-            builder.configureXFrame(true).setXFrameOption(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_XFRAME_VALUE));
-          }
-          if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_PAM)) {
-            if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_SSL)) {
-              String hiveServer2PamServices = hiveConf.getVar(ConfVars.HIVE_SERVER2_PAM_SERVICES);
-              if (hiveServer2PamServices == null || hiveServer2PamServices.isEmpty()) {
-                throw new IllegalArgumentException(ConfVars.HIVE_SERVER2_PAM_SERVICES.varname + " are not configured.");
-              }
-              builder.setPAMAuthenticator(pamAuthenticator == null ? new PamAuthenticator(hiveConf) : pamAuthenticator);
-              builder.setUsePAM(true);
-            } else if (hiveConf.getBoolVar(ConfVars.HIVE_IN_TEST)) {
-              builder.setPAMAuthenticator(pamAuthenticator == null ? new PamAuthenticator(hiveConf) : pamAuthenticator);
-              builder.setUsePAM(true);
-            } else {
-              throw new IllegalArgumentException(ConfVars.HIVE_SERVER2_WEBUI_USE_SSL.varname + " has false value. It is recommended to set to true when PAM is used.");
-            }
-          }
+          HttpServer.Builder builder = initBuilder(webHost, webUIPort, "hiveserver2", "/", hiveConf);
           if (serviceDiscovery && activePassiveHA) {
-            builder.setContextAttribute("hs2.isLeader", isLeader);
-            builder.setContextAttribute("hs2.failover.callback", new FailoverHandlerCallback(hs2HARegistry));
-            builder.setContextAttribute("hiveconf", hiveConf);
+            addHAContextAttributes(builder, hiveConf);
             builder.addServlet("leader", HS2LeadershipStatus.class);
             builder.addServlet("peers", HS2Peers.class);
           }
@@ -505,10 +425,11 @@ public synchronized void init(HiveConf hiveConf) {
           if (ldapAuthService != null) {
             webServer.addServlet("login", "/login", new ServletHolder(new LoginServlet(ldapAuthService)));
           }
+          initHealthHA(webServer, hiveConf);
         }
       }
-    } catch (IOException ie) {
-      throw new ServiceException(ie);
+    } catch (Exception e) {
+      throw new ServiceException(e);
     }
 
     long otelExporterFrequency =
@@ -534,6 +455,101 @@ public synchronized void init(HiveConf hiveConf) {
     // Extra time for releasing the resources if timeout sets to 0
     ShutdownHookManager.addGracefulShutDownHook(() -> graceful_stop(),  timeout == 0 ? 30 : timeout);
   }
+  
+  private void addHAContextAttributes(HttpServer.Builder builder, HiveConf hiveConf) {
+    builder.setContextAttribute("hs2.isLeader", isLeader);
+    builder.setContextAttribute("hs2.failover.callback", new FailoverHandlerCallback(hs2HARegistry));
+    builder.setContextAttribute("hiveconf", hiveConf);
+  }
+  
+  private HttpServer.Builder initBuilder(String webHost, int port, String name, String contextPath, HiveConf hiveConf) throws IOException {
+    HttpServer.Builder builder = new HttpServer.Builder(name);
+    builder.setPort(port).setConf(hiveConf);
+    builder.setHost(webHost);
+    builder.setContextPath(contextPath);
+    builder.setMaxThreads(hiveConf.getIntVar(ConfVars.HIVE_SERVER2_WEBUI_MAX_THREADS));
+    builder.setAdmins(hiveConf.getVar(ConfVars.USERS_IN_ADMIN_ROLE));
+    // SessionManager is initialized
+    builder.setContextAttribute("hive.sm", cliService.getSessionManager());
+    hiveConf.set("startcode", String.valueOf(System.currentTimeMillis()));
+    if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_SSL)) {
+      String keyStorePath = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_PATH);
+      if (StringUtils.isBlank(keyStorePath)) {
+        throw new IllegalArgumentException(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_PATH.varname
+                + " Not configured for SSL connection");
+      }
+      builder.setKeyStorePassword(ShimLoader.getHadoopShims().getPassword(
+          hiveConf, ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_PASSWORD.varname));
+      builder.setKeyStorePath(keyStorePath);
+      builder.setKeyStoreType(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_TYPE));
+      builder.setKeyManagerFactoryAlgorithm(
+          hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYMANAGERFACTORY_ALGORITHM));
+      builder.setExcludeCiphersuites(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_EXCLUDE_CIPHERSUITES));
+      builder.setUseSSL(true);
+    }
+    if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_SPNEGO)) {
+      String spnegoPrincipal = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_PRINCIPAL);
+      String spnegoKeytab = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_KEYTAB);
+      if (StringUtils.isBlank(spnegoPrincipal) || StringUtils.isBlank(spnegoKeytab)) {
+        throw new IllegalArgumentException(
+            ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_PRINCIPAL.varname
+                + "/" + ConfVars.HIVE_SERVER2_WEBUI_SPNEGO_KEYTAB.varname
+                + " Not configured for SPNEGO authentication");
+      }
+      builder.setSPNEGOPrincipal(spnegoPrincipal);
+      builder.setSPNEGOKeytab(spnegoKeytab);
+      builder.setUseSPNEGO(true);
+    }
+    if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_ENABLE_CORS)) {
+      builder.setEnableCORS(true);
+      String allowedOrigins = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_ORIGINS);
+      String allowedMethods = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_METHODS);
+      String allowedHeaders = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_HEADERS);
+      if (StringUtils.isBlank(allowedOrigins) || StringUtils.isBlank(allowedMethods) || StringUtils.isBlank(allowedHeaders)) {
+        throw new IllegalArgumentException("CORS enabled. But " +
+            ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_ORIGINS.varname + "/" +
+            ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_METHODS.varname + "/" +
+            ConfVars.HIVE_SERVER2_WEBUI_CORS_ALLOWED_HEADERS.varname + "/" +
+            " is not configured");
+      }
+      builder.setAllowedOrigins(allowedOrigins);
+      builder.setAllowedMethods(allowedMethods);
+      builder.setAllowedHeaders(allowedHeaders);
+      LOG.info("CORS enabled - allowed-origins: {} allowed-methods: {} allowed-headers: {}", allowedOrigins,
+          allowedMethods, allowedHeaders);
+    }
+    if(hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_XFRAME_ENABLED)){
+      builder.configureXFrame(true).setXFrameOption(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_XFRAME_VALUE));
+    }
+    if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_PAM)) {
+      if (hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_WEBUI_USE_SSL)) {
+        String hiveServer2PamServices = hiveConf.getVar(ConfVars.HIVE_SERVER2_PAM_SERVICES);
+        if (hiveServer2PamServices == null || hiveServer2PamServices.isEmpty()) {
+          throw new IllegalArgumentException(ConfVars.HIVE_SERVER2_PAM_SERVICES.varname + " are not configured.");
+        }
+        builder.setPAMAuthenticator(pamAuthenticator == null ? new PamAuthenticator(hiveConf) : pamAuthenticator);
+        builder.setUsePAM(true);
+      } else if (hiveConf.getBoolVar(ConfVars.HIVE_IN_TEST)) {
+        builder.setPAMAuthenticator(pamAuthenticator == null ? new PamAuthenticator(hiveConf) : pamAuthenticator);
+        builder.setUsePAM(true);
+      } else {
+        throw new IllegalArgumentException(ConfVars.HIVE_SERVER2_WEBUI_USE_SSL.varname + " has false value. It is recommended to set to true when PAM is used.");
+      }
+    }
+    
+    return builder;
+  }
+  
+  private void initHealthHA(HttpServer webServer, HiveConf hiveConf) throws Exception {
+    if (serviceDiscovery && activePassiveHA) {
+      String webHost = hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_BIND_HOST);
+      int healthCheckPort = hiveConf.getIntVar(ConfVars.HIVE_SERVER2_HEALTH_HA_PORT);
+      HttpServer.Builder builder = initBuilder(webHost, healthCheckPort, "health-ha", "/health-ha", hiveConf);
+      addHAContextAttributes(builder, hiveConf);
+      builder.addServlet("leader", HS2HealthHAStatus.class);
+      webServer.addWebApp(builder); 
+    }
+  }
 
   private void logCompactionParameters(HiveConf hiveConf) {
     LOG.info("Compaction HS2 parameters:");

service/src/java/org/apache/hive/service/servlet/HS2HealthHAStatus.java

@@ -0,0 +1,31 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.service.servlet;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class HS2HealthHAStatus extends HS2LeadershipStatus {
+
+  @Override
+  public void doDelete(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
+    response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "DELETE method is not allowed");
+  }
+}

service/src/resources/hive-webapps/health-ha/web.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+                 http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+         version="3.1"
+         metadata-complete="false">
+
+</web-app>
+