You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/05/10 23:28:00 UTC

[jira] [Commented] (IMPALA-10745) impala-shell should support Kerberos over HTTP

    [ https://issues.apache.org/jira/browse/IMPALA-10745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534611#comment-17534611 ] 

ASF subversion and git services commented on IMPALA-10745:
----------------------------------------------------------

Commit 397d1d15a274b843aad9b4da8eaa1ab7dc468099 in impala's branch refs/heads/master from wzhou-code
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=397d1d15a ]

IMPALA-10745: Support Kerberos over HTTP for impala-shell

This patch ports the implementation of GSSAPI authentication over http
transport from Impyla (https://github.com/cloudera/impyla/pull/415) to
impala-shell.

The implementation adds a new dependency on 'kerberos' python module,
which is a pip-installed module distributed under Apache License Version
2.
When using impala-shell with Kerberos over http, it is assumed that the
host has a preexisting kinit-cached Kerberos ticket that impala-shell
can pass to the server automatically without the user to reenter the
password.

Testing:
 - Passed exhaustive tests.
 - Tested manually on a real cluster with a full Kerberos setup.

Change-Id: Ia59ba4004490735162adbd468a00a962165c5abd
Reviewed-on: http://gerrit.cloudera.org:8080/18493
Reviewed-by: Csaba Ringhofer <cs...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> impala-shell should support Kerberos over HTTP
> ----------------------------------------------
>
>                 Key: IMPALA-10745
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10745
>             Project: IMPALA
>          Issue Type: New Feature
>            Reporter: Fang-Yu Rao
>            Assignee: Wenzhe Zhou
>            Priority: Major
>
> Currently if we try to connect to a Kerberized impalad via "{{hs2-http}}" by executing "{{impala-shell --protocol='hs2-http' -k}}", there would be the following error.
> {noformat}
> [root@engesc8305d07-2 impalad]# impala-shell --protocol='hs2-http' -k
> Starting Impala Shell using Kerberos authentication
> Using service name 'impala'
> Warning: --connect_timeout_ms is currently ignored with HTTP transport.
> Kerberos not supported with HTTP endpoints.
> Error connecting: NotImplementedError,
> ***********************************************************************************
> Welcome to the Impala shell.
> (Impala Shell v3.4.0-SNAPSHOT (134517e) built on Thu Nov 26 15:55:15 UTC 2020)
> You can run a single query from the command line using the '-q' option.
> ***********************************************************************************
> [Not connected] >
> {noformat}
> In theory Impala already supports Kerberos over the HTTP protocol since we are able to connect to a Kerberized impalad via a JDBC driver.
> {noformat}
> [root@c3512-node2 ~]# beeline -d "com.cloudera.impala.jdbc41.Driver" -u 'jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit' -e 'select 1'
> Connecting to jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit
> Connected to: Impala (version 3.4.0-SNAPSHOT)
> Driver: ImpalaJDBC (version 02.06.23.1028)
> +---------+
> | expr_0 |
> +---------+
> | 1 |
> +---------+
> 1 row selected (1.227 seconds)
> {noformat}
> Specifically, IMPALA-8783 added Kerberos SPNEGO support to the http hs2 server and yet later on in IMPALA-8932 we added a condition to not try to connect via Kerberos if the protocol is HTTP at [https://gerrit.cloudera.org/c/14201/3/shell/impala_shell.py#816].
> It seems we could remove this additional condition to allow impala-shell to support Kerberos over HTTP.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org