Impala Security

You can configure Impala to use the following security features on a secure and insecure MapR cluster:

Feature Description
LDAP You can configure LDAP authentication for client connections with Impala. You can use LDAP authentication with Sentry to authenticate users and provide precise levels of access to users. See LDAP Authentication for Impala.
Kerberos You can configure Impala to use Kerberos for authentication. You can also use Sentry authorization in conjunction with Kerberos if you want to configure user-level access to databases, tables, columns, and partitions. See Enable Kerberos Authentication for Impala.
SSL You can enable SSL network encryption for communication between Impala and client programs and between Impala nodes in a cluster. See Enable SSL for Impala.
Note: Impala does not directly support SASL-enabled MapR clusters and cannot authenticate users accessing data from an Impala client. You can enable MapR SASL for the Hive metastore. When the Hive metastore is SASL enabled, Impala can run in any security mode (none, LDAP, or Kerberos). To avoid security holes, configure Impala on Kerberos or LDAP. If Impala is not secure or only has LDAP authentication enabled, only the client connection to Impala is authenticated and there is no wire level encryption or server-to-server authentication.

You can configure Impala to use security features and components listed below on a secure MapR cluster when Kerberos is used for authentication and Hive is also secure.

The following security matrix assumes that each component is configured with Kerberos for authentication. For example, if you run Impala with Hive and Hue, each component (Impala, Hive, and Hue) must use Kerberos for authentication.

Component Version Impala 1.4.1 Impala 2.2.0
MapR 4.0.1 Yes No
  5.x Yes Yes
LDAP N/A Yes Yes
Kerberos N/A Yes Yes
Sentry 1.4 Yes No
  1.6 No Yes
Hue 3.6 Yes No
  3.9 Yes Yes
Hive 0.13 Yes No
  1.2.1 No Yes

The following table provides the supported and unsupported component and security combinations on a secure MapR cluster:

Impala Security Mode Hive + MapR SASL Hive + Kerberos
None supported not supported
LDAP supported not supported
Kerberos supported supported