Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10745

impala-shell should support Kerberos over HTTP

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • Impala 4.2.0
    • None
    • None
    • ghx-label-4

    Description

      Currently if we try to connect to a Kerberized impalad via "hs2-http" by executing "impala-shell --protocol='hs2-http' -k", there would be the following error.

      [root@engesc8305d07-2 impalad]# impala-shell --protocol='hs2-http' -k
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Warning: --connect_timeout_ms is currently ignored with HTTP transport.
Kerberos not supported with HTTP endpoints.
Error connecting: NotImplementedError,
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v3.4.0-SNAPSHOT (134517e) built on Thu Nov 26 15:55:15 UTC 2020)

You can run a single query from the command line using the '-q' option.
***********************************************************************************
[Not connected] >

      In theory Impala already supports Kerberos over the HTTP protocol since we are able to connect to a Kerberized impalad via a JDBC driver.

      [root@c3512-node2 ~]# beeline -d "com.cloudera.impala.jdbc41.Driver" -u 'jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit' -e 'select 1'
Connecting to jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit
Connected to: Impala (version 3.4.0-SNAPSHOT)
Driver: ImpalaJDBC (version 02.06.23.1028)
+---------+
| expr_0 |
+---------+
| 1 |
+---------+
1 row selected (1.227 seconds)

      Specifically, IMPALA-8783 added Kerberos SPNEGO support to the http hs2 server and yet later on in IMPALA-8932 we added a condition to not try to connect via Kerberos if the protocol is HTTP at https://gerrit.cloudera.org/c/14201/3/shell/impala_shell.py#816.

      It seems we could remove this additional condition to allow impala-shell to support Kerberos over HTTP.

      Attachments

        Activity

          People

            wzhou Wenzhe Zhou
            fangyurao Fang-Yu Rao
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: