Configuring SSL for Impala

Impala supports SSL network encryption, between Impala and client programs, and between the Impala-related daemons running on different nodes in the cluster. This feature is important when you also use other features such as Kerberos authentication or Sentry authorization, where credentials are being transmitted back and forth.

Using Cloudera Manager

To configure Impala to listen for Beeswax and HiveServer2 requests on SSL-secured ports:
  1. Open the Cloudera Manager Admin Console and navigate to the Impala service.
  2. Click Configuration.
  3. In the Search field, type SSL to show the Impala SSL properties (found under the Service-Wide > Security category).
  4. If you are not using Kerberos, edit the following SSL properties according to your cluster configuration.
    Impala SSL Properties
    Property Description
    Enable SSL for Impala Client Services Enable support for encrypted client-server communication using Secure Socket Layer (SSL) for Impala client services.
    SSL Server Certificate Local path to the SSL server certificate file.
    SSL Server Private Key Local path to the SSL private key file.
    Cloudera Manager 5.2 does not have the ability to configure SSL when Kerberos is enabled. If you are using Kerberos, add the following properties to the Impala Command Line Argument Advanced Configuration Snippet (Safety Valve) property (found under the Service-Wide > Advanced category):
    -ssl_server_certificate=/etc/impala/<certificate>.pem
    -ssl_private_key=/etc/impala/<private_key>.pem
  5. Click Save Changes.
  6. Restart the Impala service.

For information on configuring SSL communication with the impala-shell interpreter, see the section below on Configuring SSL Communication for the Impala Shell.

Using the Command Line

To enable SSL for Impala network communication, add both of the following flags to the impalad startup options:

  • --ssl_server_certificate: the full path to the server certificate, on the local filesystem.
  • --ssl_private_key: the full path to the server private key, on the local filesystem.

If either of these flags are set, both must be set. In that case, Impala starts listening for Beeswax and HiveServer2 requests on SSL-secured ports only. (The port numbers stay the same; see Ports Used by Impala for details.)

Configuring SSL Communication for the Impala Shell

Typically, a client program has corresponding configuration properties in Cloudera Manager to verify that it is connecting to the right server. For example, with SSL enabled for Impala, you use the following options when starting the impala-shell interpreter:

  • --ssl: enables SSL for impala-shell.
  • --ca_cert: the local pathname pointing to the third-party CA certificate, or to a copy of the server certificate for self-signed server certificates.

If --ca_cert is not set, impala-shell enables SSL, but does not validate the server certificate. This is useful for connecting to a known-good Impala that is only running over SSL, when a copy of the certificate is not available (such as when debugging customer installations).

Using TLS/SSL with Business Intelligence Tools

You can use Kerberos authentication, TLS/SSL encryption, or both to secure connections from JDBC and ODBC applications to Impala. See Configuring Impala to Work with JDBC and Configuring Impala to Work with ODBC for details.

Currently, the Hive JDBC driver does not support connections that use both Kerberos authentication and SSL encryption. To use both of these security features with Impala through a JDBC application, use the Cloudera JDBC Connector as the JDBC driver.