Connecting to a kerberized Impala daemon

Using an impala-shell session you can connect to an impalad daemon to issue queries. When you connect to an impalad, it coordinates the execution of all queries sent to it. You can run impala-shell to connect to a Kerberized Impala instance over HTTP in a cluster.

Kerberos is an enterprise-grade authentication system Impala supports. Kerberos provides strong security benefits including capabilities that render intercepted authentication packets unusable by an attacker. It virtually eliminates the threat of impersonation by never sending a user's credentials in cleartext over the network. Cloudera recommends using impala-shell with Kerberos authentication for strong security benefits while accessing an Impala instance.

  • Locate the hostname that is running the impalad daemon.
  • 28000 is the default port impalad daemon uses to transmit commands and receive results from client applications over HTTP using the HiveServer2 protocol. Ensure that this port is open.
  • Ensure that the host running impala-shell has a preexisting kinit-cached Kerberos ticket that impala-shell can pass to the impala server automatically without the need for the user to reenter the password.
  • To override any client connection errors, you should run the Kinit command to retrieve the Ticket Granting Ticket or to extend it if it has already expired.
  1. To enable Kerberos in the Impala shell, start the impala-shell command using the -k flag.
  2. For impala-shell to communicate with the Impala daemon over HTTP through the HiveServer2 protocol, specify --protocol=hs2-http as the protocol.
    impala-shell -i -k --protocol=hs2-http
    Starting Impala Shell with Kerberos authentication using Python 2.7.5
    Using service name 'impala'
    Warning: --connect_timeout_ms is currently ignored with HTTP transport.
    Opened TCP connection to
    Connected to
    Server version: impalad version 4.0.0-SNAPSHOT RELEASE (build d18b1c1d3f7230d330b58928513c20e90bab0153)