Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Impala-shell connection issue with ldap

Highlighted

Impala-shell connection issue with ldap

New Contributor

Hello, I am trying to use simple LDAP auth for my impala setup.
my setup:

hive-site.xml

 

<configuration>
<property>
<name>hive.support.concurrency</name>
<value>true</value>
</property>
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:postgresql://postgres:5432/metastore</value>
</property>
<property>
<name>javax.jdo.option.ConnectionDriverName</name>
<value>org.postgresql.Driver</value>
</property>
<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>postgres</value>
</property>
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>postgres</value>
</property>
<property>
<name>datanucleus.autoCreateSchema</name>
<value>true</value>
</property>
<property>
<name>datanucleus.autoCreateTables</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.uris</name>
<value>thrift://localhost:9083</value>
</property>
<property>
<name>hive.metastore.schema.verification</name>
<value>true</value>
</property>

<property>
<name>hive.server2.authentication</name>
<value>LDAP</value>
</property>

<property>
<name>hive.server2.authentication.ldap.url</name>
<value>ldap://172.20.0.3:389</value>
</property>
<property>
<name>hive.server2.authentication.ldap.Domain</name>
<value>ldap.mycompany.org</value>
</property>
</configuration>

 

/etc/default/impala

 

IMPALA_CATALOG_SERVICE_HOST=127.0.0.1
IMPALA_STATE_STORE_HOST=127.0.0.1
IMPALA_STATE_STORE_PORT=24000
IMPALA_BACKEND_PORT=22000
IMPALA_LOG_DIR=/var/log/impala

IMPALA_CATALOG_ARGS=" -log_dir=${IMPALA_LOG_DIR} "
IMPALA_STATE_STORE_ARGS=" -log_dir=${IMPALA_LOG_DIR} -state_store_port=${IMPALA_STATE_STORE_PORT}"
IMPALA_SERVER_ARGS=" \
-log_dir=${IMPALA_LOG_DIR} \
-catalog_service_host=${IMPALA_CATALOG_SERVICE_HOST} \
-state_store_port=${IMPALA_STATE_STORE_PORT} \
-use_statestore \
-state_store_host=${IMPALA_STATE_STORE_HOST} \
-be_port=${IMPALA_BACKEND_PORT} \
-enable_ldap_auth -ldap_uri=ldap://172.20.0.3:389/ -ldap_passwords_in_clear_ok -ldap_domain=admin@ldap.mycompany.org -server_name=test_server -kudu_master_hosts=kudu_node1:7051,kudu_node2:7051,kudu_node3:7051 "

ENABLE_CORE_DUMPS=false

# LIBHDFS_OPTS=-Djava.library.path=/usr/lib/impala/lib
# MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
# IMPALA_BIN=/usr/lib/impala/sbin
# IMPALA_HOME=/usr/lib/impala
# HIVE_HOME=/usr/lib/hive
# HBASE_HOME=/usr/lib/hbase
# IMPALA_CONF_DIR=/etc/impala/conf
# HADOOP_CONF_DIR=/etc/impala/conf
# HIVE_CONF_DIR=/etc/impala/conf
# HBASE_CONF_DIR=/etc/impala/conf

 

/etc/sentry/conf.dist/sentry-site.xml

 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<property>
<name>sentry.service.security.mode</name>
<value>none</value>
</property>
<property>
<name>sentry.service.admin.group</name>
<value>admin1</value>
</property>
<property>
<name>sentry.service.allow.connect</name>
<value>impala,hive,solr</value>
</property>
<property>
<name>sentry.store.jdbc.url</name>
<value>jdbc:derby:;databaseName=sentry_store_db;create=true</value>
</property>
<property>
<name>sentry.store.jdbc.driver</name>
<value>org.apache.derby.jdbc.EmbeddedDriver</value>
</property>
<property>
<name>sentry.hive.server</name>
<value>test_server</value>
</property>
</configuration>

 

/etc/ldap/ldap.conf

 

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=ldap,dc=mycompany,dc=org
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

 

for ldap I am using docker, it's password it "secret"

 

Now when I try to login using impala-shell using the following command:

 

impala-shell -l --ldap_password_cmd='echo -n secret' --auth_creds_ok_in_clear -i localhost:21000

 

I get following error:

 

Starting Impala Shell using LDAP-based authentication
Error connecting: TTransportException, TSocket read 0 bytes
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v2.12.0-cdh5.15.0 (23f5745) built on Thu May 24 04:07:31 PDT 2018)

You can run a single query from the command line using the '-q' option.
***********************************************************************************

LDAP authentication is enabled, but the connection to Impala is not secured by TLS.
ALL PASSWORDS WILL BE SENT IN THE CLEAR TO IMPALA.
[Not connected] > 

 

and the log file is saying: /var/log/impala/impalad.ERROR

 

Log file created at: 2019/11/25 18:33:33
Running on machine: localhost
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
E1125 18:33:33.983707 10434 logging.cc:121] stderr will be logged to this file.
E1125 18:33:50.578375 10782 authentication.cc:179] SASL message (LDAP): Password verification failed

 

What am I missing here? Thanks in advance. 

Don't have an account?
Coming from Hortonworks? Activate your account here