If I want to put an SSL-enabled Impala behind a load balancer, should I use one certificate with CN=loadbalancer.example.com that I install on all Impala hosts, or one certificate per host with a subjectAltName, or some other variant?
https://issues.cloudera.org/browse/IMPALA-3159 claims impala-shell doesn't work with wildcard certs, so I guess that's not really an option.
Just FYI, IMPALA-3159 is in now. So this should work on the latest clone of Impala. Alternatively, you could cherry pick only this patch and run it without rebuilding (as it's a Python only change).