Impala connection string for cluster with ssl enabled and kerberos auth

JB000000000001 — Tue, 29 Oct 2019 13:14:21 GMT

Dear community,
we have a problem when connecting to impala with the impala jdbc connector.

Our cluster setup is:
cdh 6.2/impala 3.2
kerberos enabled
ssl activated.

Our cluster 's configuration has been checked thoroughly and the cluster is correctly processing high volumes of data, using kerberos authentication and has security/sentry etc in place. SSL and kerberos processes work fine, in other words this is not a cluster we just started setting up.

We have an issue when making a connection from a java program using the impala jdbc connector.
I am following the documentation on https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/2-6-11/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf (-> page 12 and 88 contain detailed explanation about the connection strings and each possible option for Kerberos ).

When we use a connection string including ssl and authentication mechanism 3 and provide the ldap user/password this works fine:
#WORKS FINE
impalaConnectionURL=jdbc:impala://mycluster.lan:21050/default;AuthMech=3;krbRealm=MYCOMPANY.COM;SSL=1;SSLKeyStore=/opt/cloudera/security/thekey.jks;SSLKeyStorePwd=correctpassword;UID=correctuser;PWD=correctpassword

However we would like to connect using Kerberos authentication:

#DOES NOT WORK
impalaConnectionURL=jdbc:impala://mycluster.lan:21050/default;AuthMech=1;krbRealm=MYCOMPANY.COM;KrbHostFQDN=correctnode.lan;KrbServiceName=impala;SSL=1;SSLKeyStore=/opt/cloudera/security/thekey.jks;SSLKeyStorePwd=correctpassword;LogLevel=6

Breakdown of field used + motivation that values are correct in our opinion:
AuthMech=1; -->Kerberos Authentication
krbRealm=MYCOMPANY.COM; -->correct as klist returns: user@MYCOMPANY.COM
KrbHostFQDN=correctnode.lan; --> server where kerberos runs (on this server sudo service krb5kdc status shows it is active)
KrbServiceName=impala --> service for which kerberos authenitcation is used: this case impala
LogLevel=6 -->want to print as much info as possible
SSL=1; --> using ssl
SSLKeyStore=/opt/cloudera/security/pki/server.jks; --> specifying keystore
SSLKeyStorePwd=<pwd> --> password for keystore --> this is correct as it works when we do not use kerberos (see above)

Encountered error (JAVA log):

-------------------------------------------

java.sql.SQLException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)

at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)

at com.cloudera.impala.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)

at com.cloudera.impala.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)

at com.cloudera.impala.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
...
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1855)

Caused by: com.cloudera.impala.support.exceptions.GeneralException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

... 16 common frames omitted

impala log:

----------------

I1029 14:08:34.201046 119410 thrift-util.cc:123] TAcceptQueueServer: Caught TException: sasl Peer indicated failure:

I am wondering if there are known issues using both kerberos and ssl in the impala jdbc string because of :
1)in the docs /online all examples for SSL use authentication mechanism=3- I have not found a single example using kerberos and ssl combined
2)I noticed a remark (https://docs.cloudera.com/documentation/enterprise/6/6.2/topics/impala_jdbc.html) :Prior to CDH 5.7 / Impala 2.5, the Hive JDBC driver did not support connections that use both Kerberos authentication and SSL encryption. Is possibly a similar issue also known for impala?

Thanks for any thoughts/input!

Re: Impala connection string for cluster with ssl enabled and kerberos auth

customer — Tue, 29 Oct 2019 19:12:53 GMT

Ref. pg. 12 "To configure default Kerberos authentication"[1], the KrbHostFQDN should be the fully qualified domain name of the Impala server host you are trying to connect to. In this case, it should be "mycluster.lan".

I'd try that first and see if it work.

[1] https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/2-6-12/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf

Re: Impala connection string for cluster with ssl enabled and kerberos auth

JB000000000001 — Wed, 30 Oct 2019 08:44:26 GMT

Great spot!

Indeed you are right, the KrbHostFQDN is not the host where kerberos runs on, but will be the impala host.

This fixed my error.

Many thanks for taking the time to read through the post and give the appropriate solution!

PS:

I believe then KrbHostFQDN will always be the same as the impala host we connect to (the value "impalahost" in jdbc:impala://impalahost), so one could ask why it is worth having a separate config option for this.

question Re: Impala connection string for cluster with ssl enabled and kerberos auth in Support Questions

Impala connection string for cluster with ssl enabled and kerberos auth

Re: Impala connection string for cluster with ssl enabled and kerberos auth

Re: Impala connection string for cluster with ssl enabled and kerberos auth