Configuring Kerberos Authentication
Impala supports an enterprise-grade authentication system called Kerberos. Kerberos provides strong security benefits including capabilities that render intercepted authentication packets unusable by an attacker. It virtually eliminates the threat of impersonation by never sending a user's credentials in cleartext over the network.
Requirements for Using Impala with Kerberos
Impala supports the Cloudera ODBC driver and the Kerberos interface provided. To use Kerberos through the ODBC driver, the host type must be set depending on the level of the ODBD driver:
SecImpalafor the ODBC 1.0 driver.
SecBeeswaxfor the ODBC 1.2 driver.
- Blank for the ODBC 2.0 driver or higher, when connecting to a secure cluster.
HS2NoSaslfor the ODBC 2.0 driver or higher, when connecting to a non-secure cluster.
Enabling Kerberos in Impala-shell
To enable Kerberos in the Impala shell, start the
impala-shell command using the
Configuring Impala to Support Kerberos Security
Enabling Kerberos authentication for Impala involves steps that can be summarized as follows:
- Creating service principals for Impala and the HTTP service.
Principal names take the form:
- Creating, merging, and distributing key tab files for these principals.
/etc/default/impala(in cluster not managed by Cloudera Manager), or editing the Security settings in the Cloudera Manager interface, to accommodate Kerberos authentication.
Enabling Access to Internal Impala APIs for Kerberos Users
For applications that need direct access to Impala
APIs, without going through the HiveServer2 or Beeswax interfaces, you
can specify a list of Kerberos users who are allowed to call those APIs.
By default, the
are the only ones authorized for this kind of access. Any users not
explicitly authorized through the
internal_principals_whitelist configuration setting
are blocked from accessing the APIs. This setting applies to all the
Impala-related daemons, although currently it is primarily used for HDFS
to control the behavior of the catalog server.
Customizing Kerberos Principals for Impala
By default, Cloudera Manager configures CDP services to use the default Kerberos principal names. While it is possible to customize the Kerberos principal names for most cluster services by setting various configuration properties, it requires extensive custom configuration and, if absolutely required, we highly recommend working closely with Cloudera Professional services in doing so.
In Cloudera Manager, click Clusters > Impala to go to the Impala service.
Click the Configuration tab.
Select Scope > Impala (Service-Wide).
In the Kerberos Principal field, add the custom Kerberos principal name to be used by all roles of this service.
Click Save Changes.
In the Instances tab, click Actions to Selected and select Regenerate missing keytab. Click Save.
After setting the new kerberos principal name, restart stale services.
In order to be able to regenerate missing keytabs, stop role instances.
Mapping Kerberos Principals to Short Names for Impala
Impala can support the additional mapping rules that will be inserted before rules generated from the list of trusted realms and before the default rule. The support is disabled by default in Impala.
To enable mapping Kerberos principals to short names:
- In Cloudera Manager, select the Impala service.
- In the Configuration tab, select Impala (Service-Wide) in Scope and Advanced in Category.
- Select the Use HDFS Rules to Map Kerberos Principals to Short Names field.
- Click Save Changes, and restart the Impala service.