Supported authentication

In CDH, the list of supported authentication modes for Impala clients included Kerberos. However, Kerberos authentication is not supported for Impala clients in Cloudera Data Warehouse (CDW). To connect to Impala that is running in CDW you can use your workload userID and password.

Security change - Apache Knox authentication not supported in CDW

Knox proxy that is generally used to extend the reach of Apache™ Hadoop® services to users outside of a Hadoop cluster is not supported within CDW. Open the ports for Private Cloud with Data Services as a gateway for communicating with AWS services.

Switch to LDAP auth for Impala-shell and Impyla clients

You can use impala-shell and impyla to query Impala Virtual Warehouses in CDW; however, Kerberos is not supported with impala-shell and impyla in CDW. To query Impala Virtual Warehouse, you must switch to LDAP authentication. To switch to LDAP, upgrade impala-shell to the latest version by running the following command: pip2 install impala-shell. You can specify the following connection string when starting impala-shell to control how shell commands are executed. You can specify options on the command line or in the impala-shell configuration file:
Impala-shell --protocol=’hs2-http’ --ssl -i “<impalad=host-name>:443” -u <user-name> -l
  • hs2-http is the HiveServer2 protocol that impala-shell uses to speak to the Impala daemon
  • -l enables LDAP authentication
  • --ssl enables TLS/SSL for impala-shell