Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hue's Impala Query Editor Connecting to SSL Enabled Impala Service

Highlighted

Hue's Impala Query Editor Connecting to SSL Enabled Impala Service

Good day, hope this message finds you well.

 

We recently updated our TEST environment to CDH 5.4.3 and as part of that, enabled SSL for Impala.  After doing so, we noticed that when connecting via impala-shell, we had to issue a --ssl parameter.  If we didn't do this, Impala would show the following in our logs.

 

"TThreadPoolServer: TServerTransport died on accept: SSL_accept: wrong version number"

 

We are now going through Hue to test the Impala Query editor, and facing a similar issue.  When we click on the Query Editor > Impala we get the infinite spinning wheel on the database load.  When checking the Impala logs, we get the same message as we did when we didn't pass in --ssl for the impala-shell.

 

"TThreadPoolServer: TServerTransport died on accept: SSL_accept: wrong version number"

 

I noticed there was a 5.4.4 release to address an issue when SSL is enable for Hue, it wouldn't start.  However, not sure if that is potentially the same issue here.  We do plan on going to 5.4.4 but was just trying to get some high level verification done in advance.

 

Anyone seen something like this before?  My thoughts are that we need to somehow indicate to Hue that it too needs to talk to Impala via SSL using the equivalent of the --ssl parameter we used for our impala-shell, but i'm not seeing an option for that in Cloudera Manager's Hue Configuration section.

 

Thanks for your thoughts in advance,

 

Mac

3 REPLIES 3
Highlighted

Re: Hue's Impala Query Editor Connecting to SSL Enabled Impala Service

Re: Hue's Impala Query Editor Connecting to SSL Enabled Impala Service

Super Collaborator

Question to Mac Noland;  Did those links help with your issue at all, or are you still seeing the same problem?

Highlighted

Re: Hue's Impala Query Editor Connecting to SSL Enabled Impala Service

Thanks for the response and checking back in.  I had to work on some other things for the client so finally getting back to this.

 

We are running 5.4.3 so I used the following document under "Hue as an SSL Client", but unfortunately we're getting the same behavior.

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_ssl_hue.html

 

I admittedly didn't quite follow the exporting process of the service JKS Keystores for non-Java services (Impala in our case), so in the process of trying to see where that was at, I ended up noticing in Impala's SSL configuration a section called "SSL/TLS Certificate for Clients".  This references a file '/opt/cloudera/security/x509/impala.cer' that is on each of our hosts running the Impalad process.  The explanation is as follows: "Local path to the X509 certificate that will identify the Impala daemon to clients during SSL/TLS connections. This file must be in PEM format."

 

Being it seemed to indicate it was for 'clients', and was in a PEM format (I double checked), what I did was grab this file, move it to the Hue server, set the permissions so the Hue user could see it, set REQUESTS_CA_BUNDLE=/tmp/hue-cert/impala.cer in the "Hue Service Environment Advanced Configuration Snippet (Safety Valve)" section and restarted Hue. I put it in /tmp as I'm not an elevated user on the system so had to pick a spot where I could put it. We'd have our Unix team do all this and put it in a better location once we get it figured out of course.

 

And unfortunately this didn't seem to fix the issue. Any ideas, or possibly I'm doing something wrong? I did notice a section in Impala called "SSL/TLS Private Key for Clients" but didn't quite understand if that was for clients, or was the Private key Impala uses to unseal the package a client encrypts with the public key.

 

Thanks in advance for your help.

Don't have an account?
Coming from Hortonworks? Activate your account here