You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2018/03/22 16:14:07 UTC
[7/7] impala git commit: IMPALA-2782: Allow impala-shell to connect
directly to impalad when configured with load balancer and kerberos.
IMPALA-2782: Allow impala-shell to connect directly to impalad when
configured with load balancer and kerberos.
This change adds an impala-shell option -b / --kerberos_host_fqdn.
This allows user to optionally specify the load-balancer's host so
that impala-shell will accept a direct connection to impala daemons
in a kerberized cluster.
Change-Id: I4726226a7a3817421b133f74dd4f4cf8c52135f9
Reviewed-on: http://gerrit.cloudera.org:8080/7241
Reviewed-by: <an...@phdata.io>
Reviewed-by: Philip Zeyliger <ph...@cloudera.com>
Tested-by: Impala Public Jenkins
Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/8c1d1901
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/8c1d1901
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/8c1d1901
Branch: refs/heads/2.x
Commit: 8c1d1901c41e3818b41e7dd171c3eff9207106b8
Parents: d1450b6
Author: Vincent Tran <vt...@cloudera.com>
Authored: Tue Jun 20 22:09:17 2017 -0400
Committer: Impala Public Jenkins <im...@gerrit.cloudera.org>
Committed: Thu Mar 22 00:49:57 2018 +0000
----------------------------------------------------------------------
shell/impala_client.py | 18 ++++++++++++++----
shell/impala_shell.py | 3 ++-
shell/impala_shell_config_defaults.py | 1 +
shell/option_parser.py | 7 +++++++
4 files changed, 24 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/impala/blob/8c1d1901/shell/impala_client.py
----------------------------------------------------------------------
diff --git a/shell/impala_client.py b/shell/impala_client.py
index 795768c..d4bfbee 100755
--- a/shell/impala_client.py
+++ b/shell/impala_client.py
@@ -59,11 +59,12 @@ class QueryCancelledByShellException(Exception): pass
class ImpalaClient(object):
- def __init__(self, impalad, use_kerberos=False, kerberos_service_name="impala",
- use_ssl=False, ca_cert=None, user=None, ldap_password=None,
- use_ldap=False):
+ def __init__(self, impalad, kerberos_host_fqdn, use_kerberos=False,
+ kerberos_service_name="impala", use_ssl=False, ca_cert=None, user=None,
+ ldap_password=None, use_ldap=False):
self.connected = False
self.impalad = impalad
+ self.kerberos_host_fqdn = kerberos_host_fqdn
self.imp_service = None
self.transport = None
self.use_kerberos = use_kerberos
@@ -275,7 +276,16 @@ class ImpalaClient(object):
from TSSLSocketWithWildcardSAN import TSSLSocketWithWildcardSAN
# sasl does not accept unicode strings, explicitly encode the string into ascii.
- host, port = self.impalad[0].encode('ascii', 'ignore'), int(self.impalad[1])
+ # The kerberos_host_fqdn option exposes the SASL client's hostname attribute to
+ # the user. impala-shell checks to ensure this host matches the host in the kerberos
+ # principal. So in the presence of a load balancer, the its hostname is expected by
+ # impala-shell. Setting this option to the load balancer hostname allows impala-shell to
+ # connect directly to an impalad.
+ if self.kerberos_host_fqdn is not None:
+ host, port = (self.kerberos_host_fqdn.split(':')[0].encode('ascii', 'ignore'),
+ int(self.impalad[1]))
+ else:
+ host, port = self.impalad[0].encode('ascii', 'ignore'), int(self.impalad[1])
if self.use_ssl:
if self.ca_cert is None:
# No CA cert means don't try to verify the certificate
http://git-wip-us.apache.org/repos/asf/impala/blob/8c1d1901/shell/impala_shell.py
----------------------------------------------------------------------
diff --git a/shell/impala_shell.py b/shell/impala_shell.py
index 50f5487..d9e6926 100755
--- a/shell/impala_shell.py
+++ b/shell/impala_shell.py
@@ -138,6 +138,7 @@ class ImpalaShell(object, cmd.Cmd):
self.is_alive = True
self.impalad = None
+ self.kerberos_host_fqdn = options.kerberos_host_fqdn
self.use_kerberos = options.use_kerberos
self.kerberos_service_name = options.kerberos_service_name
self.use_ssl = options.ssl
@@ -482,7 +483,7 @@ class ImpalaShell(object, cmd.Cmd):
return completed_cmd
def _new_impala_client(self):
- return ImpalaClient(self.impalad, self.use_kerberos,
+ return ImpalaClient(self.impalad, self.kerberos_host_fqdn, self.use_kerberos,
self.kerberos_service_name, self.use_ssl,
self.ca_cert, self.user, self.ldap_password,
self.use_ldap)
http://git-wip-us.apache.org/repos/asf/impala/blob/8c1d1901/shell/impala_shell_config_defaults.py
----------------------------------------------------------------------
diff --git a/shell/impala_shell_config_defaults.py b/shell/impala_shell_config_defaults.py
index c50ad87..9a74c85 100644
--- a/shell/impala_shell_config_defaults.py
+++ b/shell/impala_shell_config_defaults.py
@@ -30,6 +30,7 @@ impala_shell_defaults = {
'history_max': 1000,
'ignore_query_failure': False,
'impalad': socket.getfqdn() + ':21000',
+ 'kerberos_host_fqdn': None,
'kerberos_service_name': 'impala',
'output_delimiter': '\\t',
'output_file': None,
http://git-wip-us.apache.org/repos/asf/impala/blob/8c1d1901/shell/option_parser.py
----------------------------------------------------------------------
diff --git a/shell/option_parser.py b/shell/option_parser.py
index a1c37d2..ff161a9 100755
--- a/shell/option_parser.py
+++ b/shell/option_parser.py
@@ -126,6 +126,13 @@ def get_option_parser(defaults):
parser.add_option("-i", "--impalad", dest="impalad",
help="<host:port> of impalad to connect to \t\t")
+ parser.add_option("-b", "--kerberos_host_fqdn", dest="kerberos_host_fqdn",
+ help="If set, overrides the expected hostname of the Impalad's "
+ "kerberos service principal. impala-shell will check that "
+ "the server's principal matches this hostname. This may be "
+ "used when impalad is configured to be accessed via a "
+ "load-balancer, but it is desired for impala-shell to talk "
+ "to a specific impalad directly.")
parser.add_option("-q", "--query", dest="query",
help="Execute a query without the shell")
parser.add_option("-f", "--query_file", dest="query_file",