Cloudera Docs

Configuring remote JCEKS keystores for Impala

Learn about how to configure remote JCEKS keystores to use cloud storage paths for credential management.

Adding an S3 path directly to the hadoop.security.credential.provider.path property is not supported and causes filesystem initialization failures. To address this issue, you must use the REMOTE_JCEKS_PATH environment variable. When this variable is set, a conditional jceks-initializer init-container copies the remote keystore to the local filesystem of the coordinator and executor pods. The system then automatically updates the hadoop.security.credential.provider.path property in the core-site.xml file to point to the new local location.

  1. Log in to the Cloudera Data Warehouse service as an administrator.
  2. Go to Impala Virtual Warehouse > > Details > Configurations
  3. Go to Impala coordinator tab and select env from the Configuration files drop-down list.
  4. Add the REMOTE_JCEKS_PATH environment variable.
  5. Enter the valid URI for the remote keystore, such as an S3 or ABFS path, in the Value field. 
    S3/S3A Paths:
s3://<bucket>/path/to/keystore.jceks
s3a://<bucket>/path/to/keystore.jceks

    ABFS/HTTPS Paths:
abfs://<containername>@<accountname>.dfs.core.windows.net/path/to/keystore.jceks
https://<accountname>.blob.core.windows.net/<containername>/path/to/keystore.jceks
  6. Go to the Impala executor tab and select env from the Configuration files drop-down list.
  7. Add the REMOTE_JCEKS_PATH environment variable.
  8. Enter the valid URI for the remote keystore, such as an S3 or ABFS path, in the Value field as shared in the above example.
  9. Click Apply Changes to update the Impala Virtual Warehouse