Cloudera Docs

Configuring OAuth Authentication

Impala shell users can now use OAuth for authentication instead of a username and password. When OAuth authentication is used, the Impala shell enforces the use of the hs2-http protocol since OAuth is sent through the "Authentication" HTTP header.

To enable and configure OAuth:
  1. In , select the Impala service.
  2. In the Configuration tab, search for 'Impala Daemon Command Line Argument Advanced Configuration Snippet (Safety Valve)' to add the OAuth configuration fields.
  3. Set the following fields to enable OAuth.
    1. OAUTH URL: oauth_jwks_url
      This is the web address where Impala gets the security keys needed to verify OAuth authentication. By default, no URL is set. You'll find the correct URL in your authentication provider's documentation.
    2. Username OAuth Custom Claim: oauth_jwt_custom_claim_username
      This setting tells Impala which part of the OAuth token contains the short username for authentication. By default, no specific claim is set. Refer to your authentication provider's documentation to find out which claim holds the username.
    3. OAuth Token Authentication: oauth_token_auth (Default: false)
      When true, OAuth authentication is enabled
    4. OAuth Validate Signature: oauth_jwt_validate_signature (Default: true)
      This setting determines if Impala checks the digital signature of incoming OAuth tokens against the downloaded security keys. With default value Impala verifies the token's signature using pre-installed public keys.
    5. OAuth JWKS Pull Timeout: oauth_jwks_pulling_timeout_s (Default: 10 sec)
      This is the maximum time (in seconds) Impala will wait to download the security keys from the specified URL before giving up. This setting applies only when an oauth_jwks_url is provided.
    6. OAuth JWKS Update Frequency: oauth_jwks_update_frequency_s (Default: 60 seconds)
      This is how often (in seconds) Impala will re-download the security keys from the specified URL to ensure they are up-to-date. This setting also applies only when an oauth_jwks_url is provided.
    7. Verify OAuth JWKS Server Certificate oauth_jwks_verify_server_certificate (Default: true)
      This controls whether Impala verifies the security certificate of the server providing the OAuth security keys. For production environments, this should always be true. Only set it to false for development or testing purposes.
  4. Click Save Changes and restart the Impala service.