In CDH the list of supported authentication modes for Impala clients included Kerberos. However Kerberos authentication is not supported for Impala clients in CDW. To connect to Impala that is running in CDW you can use your workload userID and password.
Security change - Apache Knox authentication not supported in CDW
Knox proxy that is generally used to extend the reach of Apache™ Hadoop® services to users outside of a Hadoop cluster is not supported within CDW. Open the ports for Private Cloud with Data Services as a gateway for communicating with AWS services.
Switch to LDAP auth for Impala-shell and Impyla Clients
You can use impala-shell and impyla to query Impala Virtual Warehouses in the Cloudera Data Warehouse (CDW) service; however, Kerberos is not supported with impala-shell and impyla in CDW. To query Impala VWs, you must switch to LDAP authentication. To switch to LDAP, upgrade impala-shell to the latest using pip2 install impala-shell. You can specify the following connection string when starting impala-shell to control how shell commands are executed. You can specify options on the command line or in the impala-shell configuration file.
Impala-shell --protocol=’hs2-http’ --ssl -i “<impalad=host-name>:443” -u <user-name> -l
where hs2-http HiveServer2 protocol impala-shell uses to speak to the Impala Daemon -l Enables LDAP authentication --ssl Enables TLS/SSL for impala-shell