Reply
Explorer
Posts: 25
Registered: ‎07-11-2016

Error in Configuring TLS/SSL for Impala

Hi,

 

I have a cluster, where I have already implemented the TLS Level 3 encryption as well as Kerberos authetication is enabled using AD server. When I try to enable the Impala encryption as per the link "https://www.cloudera.com/documentation/enterprise/5-9-x/topics/impala_ssl.html", I started getting errors in Impala.

I am really stuck on the same and I would be really thankful if anybody can help me on the same.

 

Errors;

1] 

Sep 11, 7:01:24.332 PM INFO thrift-util.cc:111
TAcceptQueueServer: Caught TException: invalid sasl status

Sep 11, 7:01:24.332 PM INFO thrift-util.cc:111
SSL_shutdown: error code: 0

2] In impalad.INFO - Couldn't open transport for server:24000 (SSL_get_verify_result(), unable to get local issuer certificate)

3] RPC Error: No more data to read.

 

LOGS:

/statestored.INFO

 

Sep 11, 7:01:17.342 PM INFO authentication.cc:497
Registering impala/host@REALM, keytab file /var/run/cloudera-scm-agent/process/2375-impala-STATESTORE/impala.keytab
Sep 11, 7:01:17.843 PM INFO authentication.cc:803
Kerberos ticket granted to impala/host@REALM
Sep 11, 7:01:17.843 PM INFO authentication.cc:681
Using external kerberos principal "impala/host@REALM"
Sep 11, 7:01:17.843 PM INFO authentication.cc:1033
External communication is authenticated with Kerberos
Sep 11, 7:01:17.844 PM INFO init.cc:204
statestored version 2.7.0-cdh5.9.1 RELEASE (build 24ad6df788d66e4af9496edb26ac4d1f1d2a1f2c)
Built on Wed Jan 11 13:39:25 PST 2017
Sep 11, 7:01:17.844 PM INFO init.cc:205
Using hostname: host
Sep 11, 7:01:17.845 PM INFO logging.cc:156
Flags (see also /varz are on debug webserver):
--catalog_service_port=26000
--load_catalog_in_background=false
--num_metadata_loading_threads=16
--sentry_config=
--asm_module_dir=
--disable_optimization_passes=false
--dump_ir=false
--opt_module_dir=
--perf_map=false
--print_llvm_ir_instruction_count=false
--unopt_module_dir=
--abort_on_config_error=true
--be_port=22000
--be_principal=
--compact_catalog_topic=false
--disable_kudu=false
--disable_mem_pools=false
--enable_accept_queue_server=true
--enable_process_lifetime_heap_profiling=false
--heap_profile_dir=
--hostname=host
--keytab_file=/var/run/cloudera-scm-agent/process/2375-impala-STATESTORE/impala.keytab
--krb5_conf=
--krb5_debug_file=
--load_auth_to_local_rules=false
--max_minidumps=9
--mem_limit=80%
--minidump_path=/var/log/impala-minidumps/statestored
--minidump_size_limit_hint_kb=20480
--principal=impala/host@REALM
--redaction_rules_file=
--max_log_files=10
--pause_monitor_sleep_time_ms=500
--pause_monitor_warn_threshold_ms=10000
--log_filename=statestored
--redirect_stdout_stderr=true
--data_source_batch_size=1024
--exchg_node_buffer_size_bytes=10485760
--enable_partitioned_aggregation=true
--enable_partitioned_hash_join=true
--enable_probe_side_filtering=true
--enable_quadratic_probing=true
--skip_lzo_version_check=false
--parquet_min_filter_reject_ratio=0.10000000000000001
--max_row_batches=0
--runtime_filter_wait_time_ms=1000
--suppress_unknown_disk_id_warnings=false
--kudu_max_row_batches=0
--kudu_scanner_keep_alive_period_us=15000000
--kudu_scanner_keep_alive_period_sec=15
--kudu_scanner_timeout_sec=60
--pick_only_leaders_for_tests=false
--kudu_session_timeout_seconds=60
--convert_legacy_hive_parquet_utc_timestamps=false
--max_page_header_size=8388608
--enable_phj_probe_side_filtering=true
--accepted_cnxn_queue_depth=10000
--enable_ldap_auth=false
--internal_principals_whitelist=hdfs
--kerberos_reinit_interval=60
--ldap_allow_anonymous_binds=false
--ldap_baseDN=
--ldap_bind_pattern=
--ldap_ca_certificate=
--ldap_domain=
--ldap_manual_config=false
--ldap_passwords_in_clear_ok=false
--ldap_tls=false
--ldap_uri=
--sasl_path=
--rpc_cnxn_attempts=10
--rpc_cnxn_retry_interval_ms=2000
--disk_spill_encryption=false
--insert_inherit_permissions=false
--datastream_sender_timeout_ms=120000
--max_cached_file_handles=0
--max_free_io_buffers=128
--min_buffer_size=1024
--num_disks=0
--num_remote_hdfs_io_threads=8
--num_s3_io_threads=16
--num_threads_per_disk=0
--read_size=8388608
--backend_client_connection_num_retries=3
--backend_client_rpc_timeout_ms=300000
--catalog_client_connection_num_retries=3
--catalog_client_rpc_timeout_ms=0
--catalog_service_host=localhost
--cgroup_hierarchy_path=
--coordinator_rpc_threads=12
--enable_rm=false
--enable_webserver=true
--llama_addresses=
--llama_callback_port=28000
--llama_host=
--llama_max_request_attempts=5
--llama_port=15000
--llama_registration_timeout_secs=30
--llama_registration_wait_secs=3
--num_hdfs_worker_threads=16
--resource_broker_cnxn_attempts=1
--resource_broker_cnxn_retry_interval_ms=3000
--resource_broker_recv_timeout=0
--resource_broker_send_timeout=0
--staging_cgroup=impala_staging
--state_store_host=localhost
--state_store_subscriber_port=23000
--use_statestore=true
--s3a_access_key_cmd=
--s3a_secret_key_cmd=
--local_library_dir=/tmp
--serialize_batch=false
--status_report_interval=5
--max_filter_error_rate=0.75
--num_threads_per_core=3
--use_local_tz_for_unix_timestamp_conversions=false
--scratch_dirs=/tmp
--queue_wait_timeout_ms=60000
--max_vcore_oversubscription_ratio=2.5
--rm_mem_expansion_timeout_ms=5000
--rm_always_use_defaults=false
--rm_default_cpu_vcores=2
--rm_default_memory=4G
--default_pool_max_queued=200
--default_pool_max_requests=-1
--default_pool_mem_limit=
--disable_pool_max_requests=false
--disable_pool_mem_limits=false
--fair_scheduler_allocation_path=
--llama_site_path=
--require_username=false
--disable_admission_control=false
--log_mem_usage_interval=0
--authorization_policy_file=
--authorization_policy_provider_class=org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider
--authorized_proxy_user_config=
--authorized_proxy_user_config_delimiter=,
--load_catalog_at_startup=false
--server_name=
--abort_on_failed_audit_event=true
--abort_on_failed_lineage_event=true
--audit_event_log_dir=
--be_service_threads=64
--beeswax_port=21000
--cancellation_thread_pool_size=5
--default_query_options=
--fe_service_threads=64
--hs2_port=21050
--idle_query_timeout=0
--idle_session_timeout=0
--lineage_event_log_dir=
--local_nodemanager_url=
--log_query_to_file=true
--max_audit_event_log_file_size=5000
--max_lineage_log_file_size=5000
--max_profile_log_file_size=5000
--max_profile_log_files=10
--max_result_cache_size=100000
--profile_log_dir=
--query_log_size=25
--ssl_client_ca_certificate=/opt/cloudera/security/x509/ssl_wildcard_full.pem
--ssl_private_key=/opt/cloudera/security/x509/ssl_wildcard.key
--ssl_private_key_password_cmd=/var/run/cloudera-scm-agent/process/2375-impala-STATESTORE/altscript.sh sec-0-ssl_private_key_password_cmd
--ssl_server_certificate=/opt/cloudera/security/x509/ssl_wildcard_full.pem
--statestore_subscriber_cnxn_attempts=10
--statestore_subscriber_cnxn_retry_interval_ms=3000
--statestore_subscriber_timeout_seconds=30
--state_store_port=24000
--statestore_heartbeat_frequency_ms=1000
--statestore_heartbeat_tcp_timeout_seconds=3
--statestore_max_missed_heartbeats=10
--statestore_num_heartbeat_threads=10
--statestore_num_update_threads=10
--statestore_update_frequency_ms=2000
--statestore_update_tcp_timeout_seconds=300
--force_lowercase_usernames=false
--num_cores=0
--web_log_bytes=1048576
--non_impala_java_vlog=0
--periodic_counter_update_period_ms=500
--enable_webserver_doc_root=true
--webserver_authentication_domain=
--webserver_certificate_file=/opt/cloudera/security/x509/ssl_wildcard_full.pem
--webserver_doc_root=/opt/cloudera/parcels/CDH-5.9.1-1.cdh5.9.1.p0.4/lib/impala
--webserver_interface=
--webserver_password_file=
--webserver_port=25010
--webserver_private_key_file=/opt/cloudera/security/x509/ssl_wildcard.key
--webserver_private_key_password_cmd=/var/run/cloudera-scm-agent/process/2375-impala-STATESTORE/altscript.sh sec-0-webserver_private_key_password_cmd
--webserver_x_frame_options=DENY
--flagfile=/var/run/cloudera-scm-agent/process/2375-impala-STATESTORE/impala-conf/state_store_flags
--fromenv=
--tryfromenv=
--undefok=
--tab_completion_columns=80
--tab_completion_word=
--help=false
--helpfull=false
--helpmatch=
--helpon=
--helppackage=false
--helpshort=false
--helpxml=false
--version=false
--alsologtoemail=
--alsologtostderr=false
--drop_log_memory=true
--log_backtrace_at=
--log_dir=/var/log/statestore
--log_link=
--log_prefix=true
--logbuflevel=0
--logbufsecs=30
--logemaillevel=999
--logmailer=/bin/mail
--logtostderr=false
--max_log_size=200
--minloglevel=0
--stderrthreshold=4
--stop_logging_if_full_disk=false
--symbolize_stacktrace=true
--v=1
--vmodule=
Sep 11, 7:01:17.845 PM INFO init.cc:212
Physical Memory: 125.93 GB
Sep 11, 7:01:17.845 PM INFO webserver.cc:247
Document root: /opt/cloudera/parcels/CDH-5.9.1-1.cdh5.9.1.p0.4/lib/impala
Sep 11, 7:01:18.128 PM INFO webserver.cc:331
Webserver started
Sep 11, 7:01:18.134 PM INFO statestored-main.cc:85
Enabling SSL for Statestore
Sep 11, 7:01:18.399 PM INFO thrift-server.cc:391
Command '/var/run/cloudera-scm-agent/process/2375-impala-STATESTORE/altscript.sh sec-0-ssl_private_key_password_cmd' executed successfully, .PEM password retrieved
Sep 11, 7:01:18.400 PM INFO thrift-server.cc:449
ThriftServer 'StatestoreService' started on port: 24000s
Sep 11, 7:01:24.332 PM INFO thrift-util.cc:111
SSL_shutdown: error code: 0
Sep 11, 7:01:24.332 PM INFO thrift-util.cc:111
TAcceptQueueServer: Caught TException: invalid sasl status

 

 

 Please help.

 

Thank you,

Amit

Announcements