Dear community,
we have a problem when connecting to impala with the impala jdbc connector.
Our cluster setup is:
cdh 6.2/impala 3.2
kerberos enabled
ssl activated.
Our cluster 's configuration has been checked thoroughly and the cluster is correctly processing high volumes of data, using kerberos authentication and has security/sentry etc in place. SSL and kerberos processes work fine, in other words this is not a cluster we just started setting up.
We have an issue when making a connection from a java program using the impala jdbc connector.
I am following the documentation on https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/2-6-11/Cloudera-JDBC-Driver-for... (-> page 12 and 88 contain detailed explanation about the connection strings and each possible option for Kerberos ).
When we use a connection string including ssl and authentication mechanism 3 and provide the ldap user/password this works fine:
#WORKS FINE
impalaConnectionURL=jdbc:impala://mycluster.lan:21050/default;AuthMech=3;krbRealm=MYCOMPANY.COM;SSL=1;SSLKeyStore=/opt/cloudera/security/thekey.jks;SSLKeyStorePwd=correctpassword;UID=correctuser;PWD=correctpassword
However we would like to connect using Kerberos authentication:
#DOES NOT WORK
impalaConnectionURL=jdbc:impala://mycluster.lan:21050/default;AuthMech=1;krbRealm=MYCOMPANY.COM;KrbHostFQDN=correctnode.lan;KrbServiceName=impala;SSL=1;SSLKeyStore=/opt/cloudera/security/thekey.jks;SSLKeyStorePwd=correctpassword;LogLevel=6
Breakdown of field used + motivation that values are correct in our opinion:
AuthMech=1; -->Kerberos Authentication
krbRealm=MYCOMPANY.COM; -->correct as klist returns: user@MYCOMPANY.COM
KrbHostFQDN=correctnode.lan; --> server where kerberos runs (on this server sudo service krb5kdc status shows it is active)
KrbServiceName=impala --> service for which kerberos authenitcation is used: this case impala
LogLevel=6 -->want to print as much info as possible
SSL=1; --> using ssl
SSLKeyStore=/opt/cloudera/security/pki/server.jks; --> specifying keystore
SSLKeyStorePwd=<pwd> --> password for keystore --> this is correct as it works when we do not use kerberos (see above)
Encountered error (JAVA log):
-------------------------------------------
java.sql.SQLException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.impala.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.impala.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
...
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1855)
Caused by: com.cloudera.impala.support.exceptions.GeneralException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... 16 common frames omitted
impala log:
----------------
I1029 14:08:34.201046 119410 thrift-util.cc:123] TAcceptQueueServer: Caught TException: sasl Peer indicated failure:
I am wondering if there are known issues using both kerberos and ssl in the impala jdbc string because of :
1)in the docs /online all examples for SSL use authentication mechanism=3- I have not found a single example using kerberos and ssl combined
2)I noticed a remark (https://docs.cloudera.com/documentation/enterprise/6/6.2/topics/impala_jdbc.html) :Prior to CDH 5.7 / Impala 2.5, the Hive JDBC driver did not support connections that use both Kerberos authentication and SSL encryption. Is possibly a similar issue also known for impala?
Thanks for any thoughts/input!
