07-30-2014 10:35 PM
I was trying to figure out what exactly happens when we enable SSL and LDAP on Impala cluster and the same integrated with any BI tool (client). I mean, I would like to understand each call flow, after SSL handshake how the data get transfered, basically a sequence diagram and which functions in the source code takes care of this. I hardly found good extent on SSL and LDAP working procedure in the cloudera documentation.
Any one has better links or documents for the same.
08-01-2014 03:56 PM
When LDAP is enabled, the flow is like this:
If SSL is enabled either between the client and the server or between the server and the LDAP server, that doesn't change much except to say that the connection is secured by SSL before any further data are exchanged on it.
The code to actually perform the authentication is here: https://github.com/cloudera/Impala/blob/master/be/src/rpc/authentication.cc (see SaslLdapCheckPass() in particular).
08-03-2014 11:34 PM
Thanks Henry for giving me the github link. Let's in this case I want to establish SSL connection between Tableau server and Impala server and also between Impala server and Active Directory.Does impala support it? I mean while enabling SSL, we can provide only one SSL certificate for the ssl server certifcate path parameter? Am I right?
08-04-2014 11:55 AM
Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.
08-05-2014 02:56 AM
Thank you Henry. In case if we don't set SSL between AD and Impala/Hive, does it encrypt the password automatically? I see if we set ldap_passwords_in_clear_ok, false then password will not be in clear form? But I am not sure about user id? If both user id and password encrypted by default what kind of encryption logic is used?
08-05-2014 10:52 AM
There is no encryption other than that provided by SSL, which affects all traffic. If you set --ldap_passwords_in_clear_ok=false, Impala will fail to start unless the connection to the AD server has SSL enabled.
06-24-2015 07:58 AM - edited 06-24-2015 07:59 AM
Henry - can you give a bit of background as to how --ldap_passwords_in_clear_ok is supposed to be used? We have a secure impala to LDAP connection but have not set the --ldap_passwords_in_clear_ok parameter. Do we need to?
06-24-2015 11:02 AM
You should use --ldap_passwords_in_clear_ok *only* if you're comfortable with Impala sending passwords in the clear to the LDAP server, i.e. not by a secure connection.
This flag is mainly as an override for secure-by-default configuration. You should not set it unless there is no way to secure the password-carrying connections.
07-23-2015 10:02 AM - edited 07-24-2015 04:16 AM
Is there a way to use SSL encryption ( or any other encryption) only for the login credentials encryption and not the other traffic on the user -> impala connection
I am using Tableau to extract data from Impala. In order to authenticate users, I activated LDAP authentication on impala, and in order to encrypt the user credentials transmission from Tableau to Impala, I used the SSL encryption. However, SSL encryption is applied to all traffic and it really slows down the data extraction from Impala.
I am looking for a way to encrypt only the user credentials during the authentication step and then not use SSL for the rest of the data traffice. Is there a way to do it ?
Thanks in advance.