You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2021/06/10 16:26:00 UTC

[jira] [Created] (IMPALA-10745) impala-shell should support Kerberos over HTTP

Fang-Yu Rao created IMPALA-10745:
------------------------------------

             Summary: impala-shell should support Kerberos over HTTP
                 Key: IMPALA-10745
                 URL: https://issues.apache.org/jira/browse/IMPALA-10745
             Project: IMPALA
          Issue Type: New Feature
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


Currently if we try to connect to a Kerberized impalad via "{{hs2-http}}" by executing "{{impala-shell --protocol='hs2-http' -k}}", there would be the following error.
{noformat}
[root@engesc8305d07-2 impalad]# impala-shell --protocol='hs2-http' -k
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Warning: --connect_timeout_ms is currently ignored with HTTP transport.
Kerberos not supported with HTTP endpoints.
Error connecting: NotImplementedError,
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v3.4.0-SNAPSHOT (134517e) built on Thu Nov 26 15:55:15 UTC 2020)

You can run a single query from the command line using the '-q' option.
***********************************************************************************
[Not connected] >
{noformat}
In theory Impala already supports Kerberos over the HTTP protocol since we are able to connect to a Kerberized impalad via a JDBC driver.
{noformat}
[root@c3512-node2 ~]# beeline -d "com.cloudera.impala.jdbc41.Driver" -u 'jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit' -e 'select 1'
Connecting to jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit
Connected to: Impala (version 3.4.0-SNAPSHOT)
Driver: ImpalaJDBC (version 02.06.23.1028)
+---------+
| expr_0 |
+---------+
| 1 |
+---------+
1 row selected (1.227 seconds)
{noformat}
Specifically, IMPALA-8783 added Kerberos SPNEGO support to the http hs2 server and yet later on in IMPALA-8932 we added a condition to not try to connect via Kerberos if the protocol is HTTP at [https://gerrit.cloudera.org/c/14201/3/shell/impala_shell.py#816].

It seems we could remove this additional condition to allow impala-shell to support Kerberos over HTTP.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)