Enable Kerberos Authentication

IMPORTANT This component is deprecated. Hewlett Packard Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.

You can enable Kerberos authentication for Impala on a secure and non-secure cluster.

Once you have configured Impala to use Kerberos for authentication, restart Impala and then start the impala-shell with the -s mapr -k flags to enable Kerberos.

To enable Kerberos authentication for Impala, complete the following steps:
  1. Enable encryption between RPC services on Kerberos in core-site.xml (change "hadoop.rpc.protection" value to "privacy") and copy core-site.xml to Impala-conf directory:
    And restart the Warden service to apply changes in core-site.xml.
  2. Copy the following files to the $IMPALA_HOME/conf/ directory:
    • $HIVE_HOME/conf/hive-site.xml
    • $HADOOP_HOME/etc/hadoop/core-site.xml
    NOTE Any time the hive-site.xml file is modified, copy the file to the $IMPALA_HOME/conf/ directory.
  3. Create service principals for each host that runs impalad, catalogd, or statestored and for the HTTP service. Principal names take the following form:
    1. Create an Impala service principal and specify the following information:
      • Name “mapr”
      • Fully qualified domain name of each node running impalad
      • Realm name

        kadmin: addprinc -requires_preauth -randkey -allow_renewable mapr/impala_host.example.com@TEST.EXAMPLE.COM
    2. Create an HTTP service principal.
      kadmin: addprinc -randkey HTTP/impala_host.example.com@TEST.EXAMPLE.COM
  4. Create, merge, and distribute keytab files for the principals.
    1. Create keytab files with both principals.
      kadmin: xst -k /opt/mapr/conf/mapr.keytab mapr/impala_host.example.com
    2. Use the keytab utility to read the content of the keytab files and then write the content to a new file.
      ktutil: rkt /opt/mapr/conf/mapr.keytab
      ktutil: rkt /opt/mapr/conf/http.keytab
      ktutil: wkt /opt/mapr/conf/mapr-http.keytab
      ktutil: quit
    3. Optionally, test the credentials in the merged keytab file to verify their validity and to verify that “renew until” data is set to a future time.
      klist -e -k -t /opt/mapr/conf/mapr-http.keytab
    4. Change the file owner to the mapr user to make mapr the only user authorized to read the file content.
      chmod 400 /opt/mapr/conf/mapr-http.keytab
  5. Edit /opt/mapr/impala/impala-<version>/conf/env.sh to include the fully qualified domain name for the IMPALA_STATE_STORE_HOST, IMPALA_STATE_STORE_HOST variables, and Kerberos options.
    1. Set the IMPALA_STATE_STORE_HOST and CATALOG_SERVICE_HOST variables to point to the fully qualified domain name.
    2. Add the following Kerberos options for impalad, catalogd, and statestored daemons using the IMPALA_SERVER_ARGS, IMPALA_CATALOG_ARGS, and IMPALA_STATE_STORE_ARGS variables:
           -log_dir=${IMPALA_LOG_DIR} \
           -state_store_port=${IMPALA_STATE_STORE_PORT} \
           -use_statestore \
           -authorized_proxy_user_config=mapr=* \
           -state_store_host=${IMPALA_STATE_STORE_HOST} \
           -catalog_service_host=${CATALOG_SERVICE_HOST} \
           -be_port=${IMPALA_BACKEND_PORT} \
           -disable_admission_control=true \
           -kerberos_reinit_interval=60 \
           -principal=mapr/impala_host.example.com@TEST.EXAMPLE.COM \
           -keytab_file=/opt/mapr/conf/mapr-http.keytab "
    3. Restart Impala and the catalog and statestore services. See Managing Impala.
    4. To enable Kerberos from the impala-shell, start the impala-shell with the -s mapr -k flags.
      impala-shell -s mapr -k
      For more information on changing the Impala defaults specified in env.sh, see Impala-Shell Commands.