Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-8111

Document workaround for some authentication issues with KRPC

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Impala 2.12.0, Impala 3.1.0
    • Fix Version/s: Impala 3.2.0
    • Component/s: Docs
    • Labels:
    • Epic Color:
      ghx-label-6

      Description

      There have been complaints from users about not being able to use Impala after upgrading to Impala version with KRPC enabled due to authentication issues. Please document them in the known issues or best practice guide.

      1. https://issues.apache.org/jira/browse/IMPALA-7585:
      Symptoms: When using Impala with LDAP enabled, a user may hit the following:

      Not authorized: Client connection negotiation failed: client connection to 127.0.0.1:27000: SASL(-1): generic failure: All-whitespace username.
      

      Root cause: The following sequence can lead to the user "impala" not being created in /etc/passwd.

      time 1: no impala in LDAP; things get installed; impala created in /etc/passwd
      time 2: impala added to LDAP
      time 3: new machine added

      Workaround:

      • Manually edit /etc/passwd to add the impala user
      • Upgrade to a version of Impala with the patch IMPALA-7585

      2. https://issues.apache.org/jira/browse/IMPALA-7298
      Symptoms: When running with Kerberos enabled, a user may hit the following error:

      WARNINGS: TransmitData() to X.X.X.X:27000 failed: Not authorized: Client connection negotiation failed: client connection to X.X.X.X:27000: Server impala/X.X.X.X@VPC.CLOUDERA.COM not found in Kerberos database
      

      Root cause:
      KrpcDataStreamSender passes a resolved IP address when creating a proxy. Instead, we should pass both the resolved address and the hostname when creating the proxy so that we won't end up using the IP address as the hostname in the Kerberos principal.

      Workaround:

      • Set rdns=true in /etc/krb5.conf
      • Upgrade to a version of Impala with the fix of IMPALA-7298

      3. https://issues.apache.org/jira/browse/KUDU-2198
      Symptoms: When running with Kerberos enabled, a user may hit the following error message where <random-string> is some random string which doesn't match the primary in the Kerberos principal

      WARNINGS: TransmitData() to X.X.X.X:27000 failed: Remote error: Not authorized: {username='<random-string>', principal='impala/redacted'} is not allowed to access DataStreamService
      

      Root cause:
      Due to system "auth_to_local" mapping, the principal may be mapped to some local name.

      Workaround:

      • Start Impala with the flag --use_system_auth_to_local=false

        Attachments

          Activity

            People

            • Assignee:
              arodoni Alexandra Rodoni
              Reporter:
              kwho Michael Ho
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: