Configuring LDAP Authentication
Impala uses LDAP for authentication, verifying the credentials of each user who connects through impala-shell, Hue, a Business Intelligence tool, JDBC or ODBC applications.
Authentication is the process of allowing only specified named users to access the server (in this case, the Impala server). This feature is crucial for any production deployment, to prevent misuse, tampering, or excessive load on the server.
Only the connections between clients and Impala can be authenticated by LDAP.
To enable and configure LDAP:
- In Cloudera Manager, select the Impala service.
- In the Configuration tab, type ldap in the search box. The fields for LDAP configuration will be listed.
- Set the following fields to enable LDAP.
- Enable LDAP Authentication (enable_ldap_auth)
-
Enables LDAP-based authentication between the client and Impala.
- LDAP URL (ldap_uri)
-
Sets the URI of the LDAP server to use. Typically, the URI is prefixed with
ldap://
. You can specify secure SSL-based LDAP transport by using the prefixldaps://
. The URI can optionally specify the port, for example:ldap://ldap_server.example.com:389
orldaps://ldap_server.example.com:636
. (389 and 636 are the default ports for non-SSL and SSL LDAP connections, respectively.)
- Set the following fields to support custom bind strings.
When Impala connects to LDAP, it issues a bind call to the LDAP server to authenticate as the connected user. Impala clients, including the Impala-shell, provide the short name of the user to Impala. This is necessary so that Impala can use role-based access, which uses short names.
However, LDAP servers often require more complex, structured usernames for authentication. Impala supports three ways of transforming the short name (for example,
'henry'
) to a more complicated string. If necessary, specify one of the following configuration options when starting the impalad daemon.- Active Directory Domain (--ldap_domain)
-
Replaces the username with a string
username@ldap_domain
. - LDAP BaseDN (--ldap_baseDN)
-
Replaces the username with a
distinguished name
(DN) of the form:uid=userid,ldap_baseDN
. (This is equivalent to a Hive option). - LDAP Pattern (--ldap_bind_pattern)
-
This is the most general option, and replaces the username with the string ldap_bind_pattern where all instances of the string
#UID
are replaced with userid. For example, anldap_bind_pattern
of"user=#UID,OU=foo,CN=bar"
with a username ofhenry
will construct a bind name of"user=henry,OU=foo,CN=bar"
.
The above options are mutually exclusive, and Impala does not start if more than one of these options are specified.
- Set the following fields for secure LDAP connections.
To avoid sending credentials over the wire in cleartext, you must configure a secure connection between both the client and Impala, and between Impala and the LDAP server. The secure connection could use SSL or TLS.
Secure LDAP connections through SSL:
For SSL-enabled LDAP connections, specify a prefix of
ldaps://
instead ofldap://
. Also, the default port for SSL-enabled LDAP connections is 636 instead of 389.Secure LDAP connections through TLS:
TLS, the successor to the SSL protocol, is supported by most modern LDAP servers. Unlike SSL connections, TLS connections can be made on the same server port as non-TLS connections. To secure all connections using TLS, specify the following flags as startup options to the impalad daemon:
- Enable LDAP TLS (--ldap_tls_
-
Tells Impala to start a TLS connection to the LDAP server, and to fail authentication if it cannot be done.
- LDAP Server CA Certificate (--ldap_ca_certificate)
-
Specifies the location of the certificate in standard
.PEM
format. Store this certificate on the local filesystem, in a location that only theimpala
user and other trusted users can read.
- Click Save Changes and restart the Impala service.