Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

SSL and LDAP architecture with in Impala-Need to study

avatar
Explorer

Hello,

I was trying to figure out what exactly happens when we enable SSL and LDAP on Impala cluster and the same integrated with any BI tool (client). I mean, I would like to understand each call flow, after SSL handshake how the data get transfered, basically a sequence diagram and which functions in the source code takes care of this. I hardly found good extent on SSL and LDAP working procedure in the cloudera documentation.

 

Any one has better links or documents for the same.

 

 

Regards

Sreeman

 

1 ACCEPTED SOLUTION

avatar
Expert Contributor

Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.

 

Henry

View solution in original post

11 REPLIES 11

avatar
Expert Contributor

When LDAP is enabled, the flow is like this:

 

  1. The client (e.g. the Impala shell) opens a connection to Impala and indicates that it wants to use LDAP authentication
  2. Impala accepts the connection and the username and password from the client
  3. Impala opens a connection to the LDAP server, and calls ldap_simple_bind_s(user, pass) on that connection
  4. If successful, the client is authenticated, if not its connection is closed.

If SSL is enabled either between the client and the server or between the server and the LDAP server, that doesn't change much except to say that the connection is secured by SSL before any further data are exchanged on it.

 

The code to actually perform the authentication is here: https://github.com/cloudera/Impala/blob/master/be/src/rpc/authentication.cc (see SaslLdapCheckPass() in particular). 

 

Henry

avatar
Explorer

Thanks Henry for giving me the github link. Let's in this case I want to establish SSL connection between Tableau server and Impala server and also between Impala server and Active Directory.Does impala support it? I mean while enabling SSL, we can provide only one SSL certificate for the ssl server certifcate path parameter? Am I right?

 

Regards

Sreeman

avatar
Expert Contributor

Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.

 

Henry

avatar
Explorer

Thank you Henry. In case if we don't set SSL between AD and Impala/Hive, does it encrypt the password automatically? I see if we set ldap_passwords_in_clear_ok, false then password will not be in clear form? But I am not sure about user id? If both user id and password encrypted by default what kind of encryption logic is used?

 

 

Regards

Sreeman

avatar
Expert Contributor

There is no encryption other than that provided by SSL, which affects all traffic. If you set --ldap_passwords_in_clear_ok=false, Impala will fail to start unless the connection to the AD server has SSL enabled.

 

Henry

avatar
Explorer

Henry - can you give a bit of background as to how --ldap_passwords_in_clear_ok is supposed to be used? We have a secure impala to LDAP connection but have not set the --ldap_passwords_in_clear_ok parameter. Do we need to?

avatar
Expert Contributor

You should use --ldap_passwords_in_clear_ok *only* if you're comfortable with Impala sending passwords in the clear to the LDAP server, i.e. not by a secure connection.

 

This flag is mainly as an override for secure-by-default configuration. You should not set it unless there is no way to secure the password-carrying connections.

 

Henry

avatar
Explorer
Ok got it. Just wanted to make sure we don't have to set it to false. Thank you.

avatar

Hi, 

 

Is there a way to use SSL encryption ( or any other encryption) only for the login credentials encryption and not the other traffic on the user -> impala connection 

I am using Tableau to extract data from Impala. In order to authenticate users, I activated LDAP authentication on impala, and in order to encrypt the user credentials transmission from Tableau to Impala, I used the SSL encryption. However, SSL encryption is applied to all traffic and it really slows down the data extraction from Impala. 

 

I am looking for a way to encrypt only the user credentials during the authentication step and then not use SSL for the rest of the data traffice. Is there a way to do it ? 

 

Thanks in advance.