question Re: SSL and LDAP architecture with in Impala-Need to study in Support Questions

SSL and LDAP architecture with in Impala-Need to study

Sreeman — Fri, 16 Sep 2022 09:03:54 GMT

Hello,

I was trying to figure out what exactly happens when we enable SSL and LDAP on Impala cluster and the same integrated with any BI tool (client). I mean, I would like to understand each call flow, after SSL handshake how the data get transfered, basically a sequence diagram and which functions in the source code takes care of this. I hardly found good extent on SSL and LDAP working procedure in the cloudera documentation.

Any one has better links or documents for the same.

Regards

Sreeman

Re: SSL and LDAP architecture with in Impala-Need to study

HenryR — Fri, 01 Aug 2014 22:56:47 GMT

When LDAP is enabled, the flow is like this:

The client (e.g. the Impala shell) opens a connection to Impala and indicates that it wants to use LDAP authentication
Impala accepts the connection and the username and password from the client
Impala opens a connection to the LDAP server, and calls ldap_simple_bind_s(user, pass) on that connection
If successful, the client is authenticated, if not its connection is closed.

If SSL is enabled either between the client and the server or between the server and the LDAP server, that doesn't change much except to say that the connection is secured by SSL before any further data are exchanged on it.

The code to actually perform the authentication is here: https://github.com/cloudera/Impala/blob/master/be/src/rpc/authentication.cc (see SaslLdapCheckPass() in particular).

Henry

Re: SSL and LDAP architecture with in Impala-Need to study

Sreeman — Mon, 04 Aug 2014 06:34:43 GMT

Thanks Henry for giving me the github link. Let's in this case I want to establish SSL connection between Tableau server and Impala server and also between Impala server and Active Directory.Does impala support it? I mean while enabling SSL, we can provide only one SSL certificate for the ssl server certifcate path parameter? Am I right?

Regards

Sreeman

Re: SSL and LDAP architecture with in Impala-Need to study

HenryR — Mon, 04 Aug 2014 18:55:52 GMT

Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.

Henry

Re: SSL and LDAP architecture with in Impala-Need to study

Sreeman — Tue, 05 Aug 2014 09:56:24 GMT

Thank you Henry. In case if we don't set SSL between AD and Impala/Hive, does it encrypt the password automatically? I see if we set ldap_passwords_in_clear_ok, false then password will not be in clear form? But I am not sure about user id? If both user id and password encrypted by default what kind of encryption logic is used?

Regards

Sreeman

Re: SSL and LDAP architecture with in Impala-Need to study

HenryR — Tue, 05 Aug 2014 17:52:01 GMT

There is no encryption other than that provided by SSL, which affects all traffic. If you set --ldap_passwords_in_clear_ok=false, Impala will fail to start unless the connection to the AD server has SSL enabled.

Henry

Re: SSL and LDAP architecture with in Impala-Need to study

smarinov — Wed, 24 Jun 2015 14:59:20 GMT

Henry - can you give a bit of background as to how --ldap_passwords_in_clear_ok is supposed to be used? We have a secure impala to LDAP connection but have not set the --ldap_passwords_in_clear_ok parameter. Do we need to?

Re: SSL and LDAP architecture with in Impala-Need to study

HenryR — Wed, 24 Jun 2015 18:02:53 GMT

You should use --ldap_passwords_in_clear_ok *only* if you're comfortable with Impala sending passwords in the clear to the LDAP server, i.e. not by a secure connection.

This flag is mainly as an override for secure-by-default configuration. You should not set it unless there is no way to secure the password-carrying connections.

Henry

Re: SSL and LDAP architecture with in Impala-Need to study

smarinov — Wed, 24 Jun 2015 18:05:26 GMT

Ok got it. Just wanted to make sure we don't have to set it to false. Thank you.

Re: SSL and LDAP architecture with in Impala-Need to study

zeeshan.khan — Fri, 24 Jul 2015 11:16:49 GMT

Hi,

Is there a way to use SSL encryption ( or any other encryption) only for the login credentials encryption and not the other traffic on the user -> impala connection

I am using Tableau to extract data from Impala. In order to authenticate users, I activated LDAP authentication on impala, and in order to encrypt the user credentials transmission from Tableau to Impala, I used the SSL encryption. However, SSL encryption is applied to all traffic and it really slows down the data extraction from Impala.

I am looking for a way to encrypt only the user credentials during the authentication step and then not use SSL for the rest of the data traffice. Is there a way to do it ?

Thanks in advance.

Re: SSL and LDAP architecture with in Impala-Need to study

HenryR — Fri, 24 Jul 2015 18:13:06 GMT

Hi -

Not currently, I'm afraid. Authentication and data access go over the same connection.

To change that, Impala's clients would have to connect over another channel after authentication. The client would have to receive during authentication some shared secret token allowing it to prove to the server that it's ok to access data. We don't currently have any plans to implement this.

Best,

Henry

Re: SSL and LDAP architecture with in Impala-Need to study

zeeshan.khan — Thu, 30 Jul 2015 10:14:05 GMT

In that case, can you suggest a way to speed up the SSL communication with Impala ?

Currently we are using Tableau to extract data from Impala. And with SSL activated, the data extraction is at least 30x to 100x slower than before.

Did you see this behavior ? Do you have a remedy for it ?

Thanks in advance.