Cloudera Enterprise 6.0.x | Other versions
Enabling LDAP Authentication for Impala
Authentication is the process of allowing only specified named users to access the server (in this case, the Impala server). This feature is crucial for any production deployment, to prevent misuse, tampering, or excessive load on the server. Impala uses LDAP for authentication, verifying the credentials of each user who connects through impala-shell, Hue, a Business Intelligence tool, JDBC or ODBC application, and so on.
Note: Regardless of the authentication mechanism
used, Impala always creates HDFS directories and data files owned by the same user (typically impala). To implement user-level access to different databases, tables,
columns, partitions, and so on, use the Sentry authorization feature, as explained in Enabling Sentry Authorization for
Impala.Continue reading:
- Requirements for Using Impala with LDAP
- Support for Custom Bind Strings
- LDAP Authentication for impala-shell Interpreter
- Enabling LDAP for Impala in Hue
- Enabling Impala Delegation for LDAP Users
- LDAP Restrictions for Impala
An alternative form of authentication you can use is Kerberos, described in Enabling Kerberos Authentication for Impala.
Requirements for Using Impala with LDAP
Authentication against LDAP servers is available in Impala 1.2.2 and higher. Impala 1.4.0 adds support for secure LDAP authentication through SSL and TLS.
The Impala LDAP support lets you use Impala with systems such as Active Directory that use LDAP behind the scenes.
Kerberos Authentication for Connections Between Impala Components
Only client->Impala connections can be authenticated by LDAP.
You must use the Kerberos authentication mechanism for connections between internal Impala components, such as between the impalad, statestored, and catalogd daemons. See Enabling Kerberos Authentication for Impala on how to set up Kerberos for Impala.
Support for Custom Bind Strings
When Impala connects to LDAP it issues a bind call to the LDAP server to authenticate as the connected user. Impala clients, including the Impala shell, provide the short name of the user to Impala. This is necessary so that Impala can use Sentry for role-based access, which uses short names.
However, LDAP servers often require more complex, structured usernames for authentication. Impala supports three ways of transforming the short name (for example, 'henry') to a more complicated string. If necessary, specify one of the following configuration options when starting the impalad daemon on each DataNode:
- --ldap_domain: Replaces the username with a string username@ldap_domain.
- --ldap_baseDN: Replaces the username with a "distinguished name" (DN) of the form: uid=userid,ldap_baseDN. (This is equivalent to a Hive option).
- --ldap_bind_pattern: This is the most general option, and replaces the username with the string ldap_bind_pattern where all instances of the string #UID are replaced with userid. For example, an ldap_bind_pattern of "user=#UID,OU=foo,CN=bar" with a username of henry will construct a bind name of "user=henry,OU=foo,CN=bar".
In the Impala configuration in Cloudera Manager, search for the configuration field names ldap_domain, ldap_basedn, or ldap_bind_pattern, fill in and save the appropriate field values, and restart the Impala service.
These options are mutually exclusive; Impala does not start if more than one of these options is specified.
LDAP Authentication for impala-shell Interpreter
To connect to Impala using LDAP authentication, you specify command-line options to the impala-shell command interpreter and enter the password when prompted:
- -l enables LDAP authentication.
- -u sets the user. Per Active Directory, the user is the short username, not the full LDAP distinguished name. If your LDAP settings include a search base, use the --ldap_bind_pattern on the impalad daemon to translate the short user name from impala-shell automatically to the fully qualified name.
- impala-shell automatically prompts for the password.
For the full list of available impala-shell options, see impala-shell Configuration Options.
LDAP authentication for JDBC applications: See Configuring Impala to Work with JDBC for the format to use with the JDBC connection string for servers using LDAP authentication.
Enabling LDAP for Impala in Hue
- Go to the Hue service.
- Click the Configuration tab.
- Select .
- Select .
- Add the following properties to the Hue Server Advanced Configuration Snippet (Safety Valve) for hue_safety_valve_server.ini property.
[impala] auth_username=<LDAP username of Hue user to be authenticated> auth_password=<LDAP password of Hue user to be authenticated>
- Click Save Changes.
Enabling Impala Delegation for LDAP Users
See Configuring Impala Delegation for Hue and BI Tools for details about the delegation feature that lets certain users submit queries using the credentials of other users.
LDAP Restrictions for Impala
The LDAP support is preliminary. It currently has only been tested against Active Directory.
| << Enabling Kerberos Authentication for Impala | ©2016 Cloudera, Inc. All rights reserved | Using Multiple Authentication Methods with Impala >> |
| Terms and Conditions Privacy Policy |