There have been complaints from users about not being able to use Impala after upgrading to Impala version with KRPC enabled due to authentication issues. Please document them in the known issues or best practice guide.
Symptoms: When using Impala with LDAP enabled, a user may hit the following:
Root cause: The following sequence can lead to the user "impala" not being created in /etc/passwd.
time 1: no impala in LDAP; things get installed; impala created in /etc/passwd
time 2: impala added to LDAP
time 3: new machine added
- Manually edit /etc/passwd to add the impala user
- Upgrade to a version of Impala with the patch
Symptoms: When running with Kerberos enabled, a user may hit the following error:
KrpcDataStreamSender passes a resolved IP address when creating a proxy. Instead, we should pass both the resolved address and the hostname when creating the proxy so that we won't end up using the IP address as the hostname in the Kerberos principal.
- Set rdns=true in /etc/krb5.conf
- Upgrade to a version of Impala with the fix of
Symptoms: When running with Kerberos enabled, a user may hit the following error message where <random-string> is some random string which doesn't match the primary in the Kerberos principal
Due to system "auth_to_local" mapping, the principal may be mapped to some local name.
- Start Impala with the flag --use_system_auth_to_local=false