Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Error Connecting to Impala via HA Proxy Node

avatar
Rising Star

I am trying to connect to Impala through from the edge node of a cluster via HA Proxy. I've verified HAProxy is up and runninng by using it to connect to other services (Hue, for example), but when I enter the below command I receive the following error:

 

-sh-4.2$ impala-shell -i haproxy1:21000 -k --ssl

Starting Impala Shell using Kerberos authentication
Using service name 'impala'
SSL is enabled. Impala server certificates will NOT be verified (set --ca_cert to change)
Error connecting: TTransportException, Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

 

The Impala settings in HA Proxy are shown below. Based on what is outlined at https://www.cloudera.com/documentation/enterprise/5-2-x/topics/impala_proxy.html it seems I've covered all of the standard steps. Is there anything else that needs to be configured for HA Proxy to work as a load balancer for Impala?

 

# IMPALA
listen impala :21000
# bind *:21000
mode tcp
option tcplog
balance leastconn

server worker1 worker1.name:21000
server worker2 worker2.name:21000
server worker3 worker3.name:21000
server worker4 worker4.name:21000


listen impalajdbc :21050
# bind *:21050
mode tcp
option tcplog
balance source

server worker1 worker1.name:21000
server worker2 worker2.name:21000
server worker3 worker3.name:21000
server worker4 worker4.name:21000

12 REPLIES 12

avatar
Rising Star

Found the issue. There was a typo in our DC which was set up as our DNS.

avatar
New Contributor

Hi @mbigelow - Can you please how to achieve this and what are the steps to do that
"Is there an ssl certificate for the HAProxy and is it configured to use it. Is the CA cert for it in the PEM file that Impala is configured to use?"

i have created the LB certificate where i have SAN entries for all daemons, impala server, & LB
But still the below error


impala-shell -i lb_url.com -d default -k --ssl --ca_cert=certificate.pem
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
SSL is enabled
Error connecting: TTransportException, Certificate error with remote host: hostname '' doesn't match 'impala-daemon-1'
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v3.4.0-SNAPSHOT (91716c9) built on )

You can change the Impala daemon that you're connected to by using the CONNECT
command.To see how Impala will plan to run your query without actually executing
it, use the EXPLAIN command. You can change the level of detail in the EXPLAIN
output by setting the EXPLAIN_LEVEL query option.
***********************************************************************************
[Not connected] >

 

impala-shell -i lb_url.com -d default -k --ssl --ca_cert=certificate.pem
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
SSL is enabled
Error connecting: TTransportException, Certificate error with remote host: hostname '' doesn't match 'impala-daemon-2'
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v3.4.0-SNAPSHOT (91716c9) built on )

You can change the Impala daemon that you're connected to by using the CONNECT
command.To see how Impala will plan to run your query without actually executing
it, use the EXPLAIN command. You can change the level of detail in the EXPLAIN
output by setting the EXPLAIN_LEVEL query option.
***********************************************************************************
[Not connected] >

avatar
Community Manager

@45, as this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: