Impala Authentication
Authentication is the mechanism to ensure that only specified hosts and users can connect to Impala.
Authentication feature verifies that when clients connect to Impala, they are connected to a legitimate server. The feature prevents spoofing such as impersonation (setting up a phony client system with the same account and group names as a legitimate user) and person-in-the-middle attacks (intercepting application requests before they reach Impala and eavesdropping on sensitive information in the requests or the results).
Impala automatically handles both Kerberos and LDAP authentication. Each impalad daemon can accept both Kerberos and LDAP requests through the same port. No special actions need to be taken if some users authenticate through Kerberos and some through LDAP.
You can also make proxy connections to Impala through Apache Knox. If you are using Knox to
access Impala api calls and if you have a custom kerberos principal name with default service
user name for knox then the Configuration under Clusters -> Impala ->
Configuration
should include the custom knox principal name
<knox_custom_kerberos_principal_name>
as one of the comma separated list
of values.
where <knox_custom_kerberos_principal_name>
is the value of the Kerberos Principal in the
Knox service.
Select Clusters>Knox>Configuration
and search for Kerberos Principal to display this value.
Regardless of the authentication mechanism used, Impala always creates
HDFS directories and data files owned by the same user (typically
impala
). Once you are finished setting up
authentication, set up authorization to control user-level access to
databases, tables, columns, partitions when they connect through
Impala.