Cloudera Docs

Authenticating users in CDW Private Cloud

Cloudera Data Warehouse (CDW) supports LDAP and Kerberos for authenticating users to access databases and tables from Business Intelligence (BI) clients and tools such as Hue, Beeline, Impyla, Impala-shell, and other JDBC clients.

Authentication using LDAP

If you choose to use LDAP to authenticate users to connect to a Virtual Warehouse from a client shell such as Beeline, Impyla, Impala-shell, and so on, then you must create Bind users. However, the Bind users must either specify the username and password inline with the command or after submitting the command from the client.

CDW does not support LDAP and Kerberos simultaneously for connecting to Hive Virtual Warehouse. You have the option to select either LDAP or Kerberos for authenticating users to Hive Virtual Warehouses while creating a new Virtual Warehouse. The default authentication mode is LDAP. There is no such restriction for Impala. However, if you enable the Unified Analytics mode on Impala Virtual Warehouses, then certain Hive components are also included in the Impala Virtual Warehouse, therefore, the authentication mode restriction applies to these Hive components as well. You must specify the authentication mode for Unified Analytics components when creating an Impala Virtual Warehouse. The default authentication mode for the Hive components in the Unified Analytics mode is LDAP. The authentication mode that you set here applies only to the Unified Analytics' components (mainly Hive). The Impala components continue to support both authentication modes. If you connect to the Impala Virtual Warehouse remotely, then both LDAP and Kerberos authentication modes can be used. But if you connect to the Impala Virtual Warehouse in the Unified Analytics mode, then only the selected authentication mode is used.

Authentication using Kerberos

Kerberos uses passwords stored in the Kerberos keytab files. This removes the need to specify username and password as parameters inline with the command or after submitting the command from a JDBC client to connect to a Virtual Warehouse in CDW, while adding a layer of security.

Impala can use LDAP or Kerberos without any pre-configuration. To use Kerberos for Hive, you must select KERBEROS from the Hive Authentication Mode drop-down menu while creating a Hive Virtual Warehouse.