Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Impala client configuration documentation out of sync with CM

avatar
Explorer

https://www.cloudera.com/documentation/enterprise/5-9-x/topics/impala_ssl.html shows a bunch of "TLS/SSL ... Client" properties that no longer appear in CM for CDH 5.9.0. Is there an update to the documentation available that covers this?

 

I have Impala running behind a proxy and I am also wondering about how this fits in.

 

While I am here, HiveServer2 documentation indicates Kerberos and LDAP client authentication can co-exist but CM doesn't allow for this.

 

Clearly the documentation around client authentication could be better. Any pointers to updates would be appreciated.

 

Thanks, S.

 

1 ACCEPTED SOLUTION

avatar
Explorer

@ScottE wrote:

https://www.cloudera.com/documentation/enterprise/5-9-x/topics/impala_ssl.html shows a bunch of "TLS/SSL ... Client" properties that no longer appear in CM for CDH 5.9.0. Is there an update to the documentation available that covers this?

 

I have Impala running behind a proxy and I am also wondering about how this fits in.

 

While I am here, HiveServer2 documentation indicates Kerberos and LDAP client authentication can co-exist but CM doesn't allow for this.


For the above three items:

The "TLS/SSL ... Client" properties are now just prefixed simply "Impala TLS/SSL Server" - this should be a documentation change.

 

If Impala is behind a proxy you need to configure HAProxy with a TLS certificate and have it connect to the Impala Server instances also using TLS. The HAProxy documentation will help, but some additional documentaiton from Cloudera would be nice.

 

HiveServer2 does not support simultaineous kerberos and LDAP authentication (the way Impala does). To achieve this for Hive you need to run a second HiveServer2 instance, configuring one with kerbeos authentication and the other with LDAP.

View solution in original post

1 REPLY 1

avatar
Explorer

@ScottE wrote:

https://www.cloudera.com/documentation/enterprise/5-9-x/topics/impala_ssl.html shows a bunch of "TLS/SSL ... Client" properties that no longer appear in CM for CDH 5.9.0. Is there an update to the documentation available that covers this?

 

I have Impala running behind a proxy and I am also wondering about how this fits in.

 

While I am here, HiveServer2 documentation indicates Kerberos and LDAP client authentication can co-exist but CM doesn't allow for this.


For the above three items:

The "TLS/SSL ... Client" properties are now just prefixed simply "Impala TLS/SSL Server" - this should be a documentation change.

 

If Impala is behind a proxy you need to configure HAProxy with a TLS certificate and have it connect to the Impala Server instances also using TLS. The HAProxy documentation will help, but some additional documentaiton from Cloudera would be nice.

 

HiveServer2 does not support simultaineous kerberos and LDAP authentication (the way Impala does). To achieve this for Hive you need to run a second HiveServer2 instance, configuring one with kerbeos authentication and the other with LDAP.