Configuring Kerberos Authentication for Impala

Requirements for Using Impala with Kerberos

Impala supports the Cloudera ODBC driver and the Kerberos interface provided. To use Kerberos through the ODBC driver, the host type must be set depending on the level of the ODBD driver:

  • SecImpala for the ODBC 1.0 driver.
  • SecBeeswax for the ODBC 1.2 driver.
  • Blank for the ODBC 2.0 driver or higher, when connecting to a secure cluster.
  • HS2NoSasl for the ODBC 2.0 driver or higher, when connecting to a non-secure cluster.

Enabling Kerberos in Impala-shell

To enable Kerberos in the Impala shell, start the impala-shell command using the -k flag.

Enabling Access to Internal Impala APIs for Kerberos Users

For applications that need direct access to Impala APIs, without going through the HiveServer2 or Beeswax interfaces, you can specify a list of Kerberos users who are allowed to call those APIs. By default, the impala and hdfs users are the only ones authorized for this kind of access. Any users not explicitly authorized through the internal_principals_whitelist configuration setting are blocked from accessing the APIs. This setting applies to all the Impala-related daemons, although currently it is primarily used for HDFS to control the behavior of the catalog server.

Customizing Kerberos Principals for Impala

  1. In Cloudera Manager, click Clusters > Impala to go to the Impala service.

  2. Click the Configuration tab.

  3. Select Scope > Impala (Service-Wide).

  4. In the Kerberos Principal field, add the custom Kerberos principal name to be used by all roles of this service.

  5. Click Save Changes.

  6. After setting the new kerberos principal name, restart stale services.

Mapping Kerberos Principals to Short Names for Impala

Impala can support the additional mapping rules that will be inserted before rules generated from the list of trusted realms and before the default rule. The support is disabled by default in Impala.

To enable mapping Kerberos principals to short names:

  1. In Cloudera Manager, select the Impala service.
  2. In the Configuration tab, select Impala (Service-Wide) in Scope and Advanced in Category.
  3. Select the Use HDFS Rules to Map Kerberos Principals to Short Names field.
  4. Click Save Changes, and restart the Impala service.