Enable Kerberos Authentication
You can enable Kerberos authentication for Impala on a secure and insecure MapR cluster.
Once you have configured Impala to use Kerberos for authentication, restart Impala and then
start the impala-shell
with the -s mapr -k
flags to
enable Kerberos.
To enable Kerberos authentication for Impala, complete the following steps:
- Copy the following files to the
$IMPALA_HOME/conf/
directory:-
$HIVE_HOME/conf/hive-site.xml
-
$HADOOP_HOME/etc/hadoop/core-site.xml
NOTE: Any time thehive-site.xml
file is modified, copy the file to the$IMPALA_HOME/conf/
directory. -
- Create service principals for each host that runs impalad, catalogd, or statestored
and for the HTTP service. Principal names take the following form:
mapr/<fully.qualified.domain.name>@<KERBEROS.REALM>
- Create an Impala service principal and specify the following information:
- Name “mapr”
- Fully qualified domain name of each node running impalad
-
Realm name
kadmin: addprinc -requires_preauth -randkey -allow_renewable mapr/impala_host.example.com@TEST.EXAMPLE.COM
- Create an HTTP service principal.
kadmin: addprinc -randkey HTTP/impala_host.example.com@TEST.EXAMPLE.COM
- Create an Impala service principal and specify the following information:
- Create, merge, and distribute keytab files for the principals.
- Create keytab files with both
principals.
kadmin: xst -k /opt/mapr/conf/mapr.keytab mapr/impala_host.example.com
- Use the keytab utility to read the content of the keytab files and then write
the content to a new
file.
ktutil ktutil: rkt /opt/mapr/conf/mapr.keytab ktutil: rkt /opt/mapr/conf/http.keytab ktutil: wkt /opt/mapr/conf/mapr-http.keytab ktutil: quit
- Optionally, test the credentials in the merged keytab file to verify their
validity and to verify that “renew until” data is set to a future
time.
klist -e -k -t /opt/mapr/conf/mapr-http.keytab
- Change the file owner to the
mapr
user to makemapr
the only user authorized to read the file content.chmod 400 /opt/mapr/conf/mapr-http.keytab
- Create keytab files with both
principals.
- Edit
/opt/mapr/impala/impala-<version>/conf/env.sh
to include the fully qualified domain name for the IMPALA_STATE_STORE_HOST, IMPALA_STATE_STORE_HOST variables, and Kerberos options.- Set the IMPALA_STATE_STORE_HOST and CATALOG_SERVICE_HOST variables to point to
the fully qualified domain
name.
IMPALA_STATE_STORE_HOST=impala_host.example.com IMPALA_STATE_STORE_PORT=24000 CATALOG_SERVICE_HOST=impala_host.example.com
- Add the following Kerberos options for impalad, catalogd, and statestored
daemons using the IMPALA_SERVER_ARGS, IMPALA_CATALOG_ARGS, and
IMPALA_STATE_STORE_ARGS
variables:
-kerberos_reinit_interval=60 -principal=mapr/impala_host.example.com@TEST.EXAMPLE.COM -keytab_file=/opt/mapr/conf/mapr-http.keytab
IMPALA_SERVER_ARGS=" \ -log_dir=${IMPALA_LOG_DIR} \ -state_store_port=${IMPALA_STATE_STORE_PORT} \ -use_statestore \ -authorized_proxy_user_config=mapr=* \ -state_store_host=${IMPALA_STATE_STORE_HOST} \ -catalog_service_host=${CATALOG_SERVICE_HOST} \ -be_port=${IMPALA_BACKEND_PORT} \ -disable_admission_control=true \ -kerberos_reinit_interval=60 \ -principal=mapr/impala_host.example.com@TEST.EXAMPLE.COM \ -keytab_file=/opt/mapr/conf/mapr-http.keytab "
- Restart Impala and the catalog and statestore services. See Managing Impala.
- To enable Kerberos from the impala-shell, start the impala-shell with the
-s mapr -k
flags.
For more information on changing the Impala defaults specified inimpala-shell -s mapr -k
env.sh
, see Impala-Shell Commands.
- Set the IMPALA_STATE_STORE_HOST and CATALOG_SERVICE_HOST variables to point to
the fully qualified domain
name.