LDAP Authentication
As of Impala 1.2.3, client connections with Impala can be authenticated against LDAP servers. You can configure LDAP authentication for client connections with Impala on a non-secure MapR cluster. When you configure LDAP authentication, you must configure SSL between the client and Impala, and between Impala and the LDAP server to avoid sending credentials over the wire in clear text. Configuration requirements apply to the server side when configuring and starting Impala.
If the Hive metastore has MapR-SASL enabled, copy $HIVE_HOME/conf/hive-site.xml
to
$IMPALA_HOME/conf/
. Repeat this step any time the
hive-site.xml
file is modified.
Modify /opt/mapr/impala/impala-<version>/conf/env.sh
and include the
following options to configure Impala server LDAP authentication:
Options | Description |
--enable_ldap_auth | Set this option to "true " in all environments to enable LDAP
authentication between Impala and the client. |
--ldap_uri | Sets the URI of the LDAP server to use. Typically, the URI is prefixed with
ldap://<hostname> . Optionally, the URI can specify the port. For
example, ldap://<hostname>:<port> . |
--ldap_manual_config extend col | Bypasses all of the automatic configuration if you need to provide a custom SASL. |
--ldap_tls | Tells Impala to start a TLS connection to the LDAP server and to fail authentication if Impala cannot start the TLS connection. |
IMPALA_SERVER_ARGS=" \
-log_dir=${IMPALA_LOG_DIR} \
-state_store_port=${IMPALA_STATE_STORE_PORT} \
-enable_ldap_auth=true \
-ldap_uri=ldap://10.250.1.5/ \
-ldap_tls=true \
-use_statestore \
-state_store_host=${IMPALA_STATE_STORE_HOST} \
-catalog_service_host=${CATALOG_SERVICE_HOST} \
-be_port=${IMPALA_BACKEND_PORT}"
After you restart the Impala server, statestore, and catalog, you can connect to Impala using LDAP authentication. To connect to Impala, launch the impala-shell from a client node and issue the following commands:
Command | Description |
-l |
Enables LDAP authentication. |
-u |
Sets the user. The impala-shell prompts you for the password. Per Active Directory, the user is the short username, not the full LDAP distinguished name. |
--ldap_password_cmd |
(Impala 2.5.0 only) Sets the bash command to retrieve the LDAP user password. |
impala-shell -l -u uid=qa-user1,ou=People,dc=maprtech,dc=com --ldap_password_cmd="echo -n
secret"