Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Impala integration with LDAP

Impala integration with LDAP

New Contributor

Hello,

 

This is my very first comment in the community. We have already kerberized our Cloudera cluster (v5.16), and we wanted to integrate impala with ldap. Here are the steps we followed:

 

1) Setup an Openldap server with an user 

uid=user,ou=customer,dc=example,dc=com

2) Made sure i can authenticate with this user against the newly setup ldap server using the ldapsearch command. 

 

Anirudhs-MacBook-Pro:~ anirudh$ ldapsearch -W -h ldap.example.com -D "uid=user,ou=customer,dc=example,dc=com" -b "dc=example,dc=com" "uid=user"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=user
# requesting: ALL
#

# user, customer, example.com
dn: uid=user,ou=customer,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: user
uid: user
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/user
loginShell: /bin/bash
gecos: user[User]

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

3) Integrated the LDAP server with Impala in Cloudera:

Screen Shot 2019-03-22 at 1.27.01 PM.png

 

 

 

 

 

 

 

 

 

 

 

 

 

4) We also have haproxy setup and here are the setting:


Impala frontend 25003 > backend 21000
impala-jdbc frontend 21051 > backend 21050

 

5) If i run impala-shell without ldap, i am able to connect :

 

#>impala-shell -i cdhmaster1:25003
Starting Impala Shell without Kerberos authentication
Kerberos ticket found in the credentials cache, retrying the connection with a secure transport.
Connected to cdhmaster1:25003
Server version: impalad version 2.12.0-cdh5.15.1 RELEASE (build 64f4e19bf59fab8664ebff7e80fc70570dcd8cb8)
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v2.12.0-cdh5.15.1 (64f4e19) built on Thu Aug  9 09:21:02 PDT 2018)

The HISTORY command lists all shell commands in chronological order.
***********************************************************************************
[cdhmaster1:25003] >

But if i try to connect with ldap , i am not able to connect :

impala-shell --ssl --ca_cert=/tmp/ca_certs.pem -l -u user@example.com -i cdhmaster1:25003
Starting Impala Shell using LDAP-based authentication
SSL is enabled
LDAP password for user@example.com:
Error connecting: TTransportException, Could not connect to cdhmaster1:25003
Kerberos ticket found in the credentials cache, retrying the connection with a secure transport.
Error connecting: TTransportException, Could not connect to cdhmaster1:25003
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v2.12.0-cdh5.15.1 (64f4e19) built on Thu Aug  9 09:21:02 PDT 2018)

The SET command shows the current value of all shell and query options.
***********************************************************************************
[Not connected] >

Have anyone ran into a similar issue, and of so how would i troubleshoot this ?

 

3 REPLIES 3

Re: Impala integration with LDAP

Cloudera Employee

https://www.cloudera.com/documentation/enterprise/5-16-x/topics/impala_ldap.html might be helfpul here.

 

Have you taken a look at the impalad logs on cdhmaster1?

Re: Impala integration with LDAP

New Contributor

@SahilTakiar 

 

Thanks for your reply , i took a look at that link, but not that helpful. I just wanted a  confirmation that from my procedure, did i miss any steps in my setup ?

 

also since i am not using Active directiry, but an linux based Openlda server. Would that make any difference ?

 

In that link it says  LDAP Restrictions for Impala , Does this mean , openldap is not supported ?

 

I found no logs in cdhmaster1 since it is just acting as loadbalancer, and not any real impalad is running there.

Highlighted

Re: Impala integration with LDAP

Cloudera Employee

I believe OpenLDAP should work. Have you tried using "--ldap_ca_certificate" instead of "--ca_cert". According to Impala, "--ldap_ca_certificate" is "The full path to the certificate file used to authenticate the LDAP server's certificate for SSL / TLS connections."

 

Do the logs for the impalad you are trying to connect to contain any relevant debugging information?

 

The main restriction I am aware of is lack of support for LDAP search / bind operations in Impala - https://issues.apache.org/jira/browse/IMPALA-2563