You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by jo...@apache.org on 2018/04/16 18:27:53 UTC
[7/7] impala git commit: IMPALA-6514: [DOCS] impala-shell option for
load balancer and Kerberos
IMPALA-6514: [DOCS] impala-shell option for load balancer and Kerberos
Change-Id: I50d2063bfbe4838692777e2019ee3f3a991dfc21
Reviewed-on: http://gerrit.cloudera.org:8080/10047
Reviewed-by: Vincent Tran <vt...@cloudera.com>
Reviewed-by: Alex Rodoni <ar...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/5960d1b3
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/5960d1b3
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/5960d1b3
Branch: refs/heads/master
Commit: 5960d1b364a661a81c4513a33b6e9470282de162
Parents: e53bf27
Author: Alex Rodoni <ar...@cloudera.com>
Authored: Thu Apr 12 11:55:18 2018 -0700
Committer: Impala Public Jenkins <im...@cloudera.com>
Committed: Mon Apr 16 01:50:14 2018 +0000
----------------------------------------------------------------------
docs/topics/impala_proxy.xml | 40 +++++++++++++++++++++++++++----
docs/topics/impala_shell_options.xml | 29 ++++++++++++++++++++++
2 files changed, 64 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/impala/blob/5960d1b3/docs/topics/impala_proxy.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_proxy.xml b/docs/topics/impala_proxy.xml
index 1f5bb4b..588fada 100644
--- a/docs/topics/impala_proxy.xml
+++ b/docs/topics/impala_proxy.xml
@@ -238,11 +238,41 @@ under the License.
verify that the host they are connecting to is the same one that is
actually processing the request, to prevent man-in-the-middle attacks.
</p>
- <note>
- Once you enable a proxy server in a Kerberized cluster, users will not
- be able to connect to individual impala daemons directly from impala
- shell.
- </note>
+ <p>
+ In <keyword keyref="impala211_full">Impala 2.11</keyword> and lower
+ versions, once you enable a proxy server in a Kerberized cluster, users
+ will not be able to connect to individual impala daemons directly from
+ impala-shell.
+ </p>
+
+ <p>
+ In <keyword keyref="impala212_full">Impala 2.12</keyword> and higher,
+ if you enable a proxy server in a Kerberized cluster, users have an
+ option to connect to Impala daemons directly from
+ <cmdname>impala-shell</cmdname> using the <codeph>-b</codeph> /
+ <codeph>--kerberos_host_fqdn</codeph> option when you start
+ <cmdname>impala-shell</cmdname>. This option can be used for testing or
+ troubleshooting purposes, but not recommended for live production
+ environments as it defeats the purpose of a load balancer/proxy.
+ </p>
+
+ <p>
+ Example:
+<codeblock>
+impala-shell -i impalad-1.mydomain.com -k -b loadbalancer-1.mydomain.com
+</codeblock>
+ </p>
+
+ <p>
+ Alternatively, with the fully qualified
+ configurations:
+<codeblock>impala-shell --impalad=impalad-1.mydomain.com:21000 --kerberos --kerberos_host_fqdn=loadbalancer-1.mydomain.com</codeblock>
+ </p>
+ <p>
+ See <xref href="impala_shell_options.xml#shell_options"/> for
+ information about the option.
+ </p>
+
<p>
To clarify that the load-balancing proxy server is legitimate, perform
these extra Kerberos setup steps:
http://git-wip-us.apache.org/repos/asf/impala/blob/5960d1b3/docs/topics/impala_shell_options.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_shell_options.xml b/docs/topics/impala_shell_options.xml
index d0407c9..73e2711 100644
--- a/docs/topics/impala_shell_options.xml
+++ b/docs/topics/impala_shell_options.xml
@@ -106,6 +106,35 @@ under the License.
<row>
<entry>
<p>
+ -b or
+ </p>
+ <p>
+ --kerberos_host_fqdn
+ </p>
+ </entry>
+ <entry>
+ <p>
+ kerberos_host_fqdn=
+ </p>
+ <p>
+ <varname>load-balancer-hostname</varname>
+ </p>
+ </entry>
+ <entry>
+ <p>
+ If set, the setting overrides the expected hostname of the
+ Impala daemon's Kerberos service principal.
+ <cmdname>impala-shell</cmdname> will check that the server's
+ principal matches this hostname. This may be used when
+ <codeph>impalad</codeph> is configured to be accessed via a
+ load-balancer, but it is desired for impala-shell to talk to a
+ specific <codeph>impalad</codeph> directly.
+ </p>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <p>
--print_header
</p>
</entry>