Impala: Authenticate with Kerberos using a "received" keytab file.

uma66 — Fri, 16 Sep 2022 13:40:17 GMT

Hello,

I am building a REST API server that relays queries to Impala.

The REST API will receive keytab file from the client server, and want to proxy Kerberos authentication on the API side.

The following sequence.

[Client Server] -- send keytab --> [REST API] --> ODBC or JDBC --> [Impala]

In order to realize the above, I think that it is necessary to dynamically authenticate ODBC using the keytab received on the REST API side. is there such a thing possible?

For example, HDFS Java API can pass and transfer arbitrary keytab as follows.

UserGroupInformation.loginUserFromKeytab("hdfs@CLOUDERA", "/etc/hadoop/conf/hdfs.keytab");

However, Impala's ODBC or JDBC document shows that you are preparing a static file (UPNKeytabMappingFile) that defines pairs of user principals and keytab files.

{
"cloudera": {
"principal" : "cloudera@CLOUDERA",
"keytab": "/tmp/cloudera.keytab"
},

Is there a way to authenticate with keytab received from client without predefining it?

Thank you in advance.

Re: Impala: Authenticate with Kerberos using a "received" keytab file.

Tomas79 — Wed, 05 Sep 2018 05:51:51 GMT

Yes it is. But you have to prepare the keytab files in advance on your REST API server and prepare a mapping file. Then you can switch between users. See the Simba documentation for more details

question Re: Impala: Authenticate with Kerberos using a "received" keytab file. in Archives of Support Questions (Read Only)

Impala: Authenticate with Kerberos using a "received" keytab file.

Re: Impala: Authenticate with Kerberos using a "received" keytab file.