Impala Security
Features
- By design, Impala security secures data outside the underlying filesystem, which creates the potential of backdoor access. When you enable Impala authorization using Sentry, the platform security is bypassed and the HPE Ezmeral Data Fabric can no longer fully secure your data.
- If you enable this Impala security, impersonation will be disabled and data ownership will be shifted to the Impala user, which makes the "Impala" data inaccessible by regular users through means other than Hive or Impala (because the users no longer own the data).
You can configure Impala to use the security features listed in the next table on either a secure or a non-secure cluster. If you use the Installer and select Enable Secure Cluster, Impala will not be automatically secured.
Feature | Description |
LDAP | You can configure LDAP authentication for client connections with Impala. You can use LDAP authentication with Sentry to authenticate users and provide precise levels of access to users. See LDAP Authentication for Impala. |
Kerberos | You can configure Impala to use Kerberos for authentication. You can also use Sentry authorization in conjunction with Kerberos if you want to configure user-level access to databases, tables, columns, and partitions. See Enable Kerberos Authentication for Impala. |
HPE Ezmeral Data Fabric Security | You can configure security between Impala and Hive. See Configure Hive Metastore to use MapR-SASL. NOTE Default
security is not present between the Impala client and the Impala
server. To avoid security holes, you must configure the Impala client on
Kerberos or LDAP. |
SSL | You can enable SSL network encryption for communication between Impala and client programs and between Impala nodes in a cluster. See Enable SSL for Impala. |
- Between the Impala server and client (JDBC, Impala-shell) - Kerberos or LDAP. However, you might encounter issues with Impala on Kerberos using the JDBC connector.
- Between Impala (the Impala catalog) and Hive metastore - HPE Ezmeral Data Fabric ticket security or Kerberos.
To avoid security holes, configure Impala on Kerberos or LDAP. If Impala is not secure or only has LDAP authentication enabled, only the client connection to Impala is authenticated and there is no wire level encryption or server-to-server authentication.
You can enable MapR SASL for the Hive metastore. When the Hive metastore is SASL enabled, Impala can run in any security mode (none, LDAP, or Kerberos).Component Compatibility
You can configure Impala to use the components and/or features listed below on a secure cluster. The following table assumes that each component is configured with Kerberos on Impala. Hive and Hue can be configured with security for authentication.
Component | Version | Impala 1.4.1 | Impala 2.2.0 | Impala 2.5.0 | Impala 2.7.0 | Impala 2.10 |
Core | 6.0.x and later | Yes | Yes | Yes | Yes | Yes |
5.1.x and later | Yes | Yes | Yes | Yes | Yes | |
5.0.x | Yes | Yes | No | No | No | |
4.0.1 | Yes | No | No | No | No | |
LDAP | N/A | Yes | Yes | Yes | Yes | Yes |
Kerberos | N/A | Yes | Yes | Yes | Yes | Yes |
Sentry | 1.7 | No | No | No | Yes | Yes |
1.6 | No | Yes | Yes | No | No | |
Hue | 4.2 | No | No | No | No | Yes |
3.12 | No | No | No | Yes | Yes | |
3.9 | Yes | Yes | Yes | No | No | |
3.6 | Yes | No | No | No | No | |
1.4 | Yes | No | No | No | No | |
Hive | 2.3 | No | No | No | No | Yes |
2.1.x | No | No | No | Yes | Yes | |
1.2.1 | No | Yes | Yes | No | No | |
0.13 | Yes | No | No | No | No |
The following table lists the supported and unsupported component and security combinations necessary to access the Hive metastore:
Impala Client Security Mode | Hive + MapR SASL
NOTE The Impala Catalog will access Hive Metastore using the default
security. |
Hive + Kerberos |
None | Supported | Not supported |
LDAP | Supported | Not supported |
Kerberos | Supported NOTE Issues with JDBC might exist. |
Supported |