You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Wenzhe Zhou (Jira)" <ji...@apache.org> on 2022/05/11 20:57:00 UTC

[jira] [Resolved] (IMPALA-10745) impala-shell should support Kerberos over HTTP

     [ https://issues.apache.org/jira/browse/IMPALA-10745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wenzhe Zhou resolved IMPALA-10745.
----------------------------------
    Fix Version/s: Impala 4.2.0
       Resolution: Fixed

> impala-shell should support Kerberos over HTTP
> ----------------------------------------------
>
>                 Key: IMPALA-10745
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10745
>             Project: IMPALA
>          Issue Type: New Feature
>            Reporter: Fang-Yu Rao
>            Assignee: Wenzhe Zhou
>            Priority: Major
>             Fix For: Impala 4.2.0
>
>
> Currently if we try to connect to a Kerberized impalad via "{{hs2-http}}" by executing "{{impala-shell --protocol='hs2-http' -k}}", there would be the following error.
> {noformat}
> [root@engesc8305d07-2 impalad]# impala-shell --protocol='hs2-http' -k
> Starting Impala Shell using Kerberos authentication
> Using service name 'impala'
> Warning: --connect_timeout_ms is currently ignored with HTTP transport.
> Kerberos not supported with HTTP endpoints.
> Error connecting: NotImplementedError,
> ***********************************************************************************
> Welcome to the Impala shell.
> (Impala Shell v3.4.0-SNAPSHOT (134517e) built on Thu Nov 26 15:55:15 UTC 2020)
> You can run a single query from the command line using the '-q' option.
> ***********************************************************************************
> [Not connected] >
> {noformat}
> In theory Impala already supports Kerberos over the HTTP protocol since we are able to connect to a Kerberized impalad via a JDBC driver.
> {noformat}
> [root@c3512-node2 ~]# beeline -d "com.cloudera.impala.jdbc41.Driver" -u 'jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit' -e 'select 1'
> Connecting to jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit
> Connected to: Impala (version 3.4.0-SNAPSHOT)
> Driver: ImpalaJDBC (version 02.06.23.1028)
> +---------+
> | expr_0 |
> +---------+
> | 1 |
> +---------+
> 1 row selected (1.227 seconds)
> {noformat}
> Specifically, IMPALA-8783 added Kerberos SPNEGO support to the http hs2 server and yet later on in IMPALA-8932 we added a condition to not try to connect via Kerberos if the protocol is HTTP at [https://gerrit.cloudera.org/c/14201/3/shell/impala_shell.py#816].
> It seems we could remove this additional condition to allow impala-shell to support Kerberos over HTTP.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)