Support Questions
Find answers, ask questions, and share your expertise

SSL and LDAP architecture with in Impala-Need to study

Explorer

Hello,

I was trying to figure out what exactly happens when we enable SSL and LDAP on Impala cluster and the same integrated with any BI tool (client). I mean, I would like to understand each call flow, after SSL handshake how the data get transfered, basically a sequence diagram and which functions in the source code takes care of this. I hardly found good extent on SSL and LDAP working procedure in the cloudera documentation.

 

Any one has better links or documents for the same.

 

 

Regards

Sreeman

 

1 ACCEPTED SOLUTION

Rising Star

Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.

 

Henry

View solution in original post

11 REPLIES 11

Rising Star

When LDAP is enabled, the flow is like this:

 

  1. The client (e.g. the Impala shell) opens a connection to Impala and indicates that it wants to use LDAP authentication
  2. Impala accepts the connection and the username and password from the client
  3. Impala opens a connection to the LDAP server, and calls ldap_simple_bind_s(user, pass) on that connection
  4. If successful, the client is authenticated, if not its connection is closed.

If SSL is enabled either between the client and the server or between the server and the LDAP server, that doesn't change much except to say that the connection is secured by SSL before any further data are exchanged on it.

 

The code to actually perform the authentication is here: https://github.com/cloudera/Impala/blob/master/be/src/rpc/authentication.cc (see SaslLdapCheckPass() in particular). 

 

Henry

Explorer

Thanks Henry for giving me the github link. Let's in this case I want to establish SSL connection between Tableau server and Impala server and also between Impala server and Active Directory.Does impala support it? I mean while enabling SSL, we can provide only one SSL certificate for the ssl server certifcate path parameter? Am I right?

 

Regards

Sreeman

Rising Star

Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.

 

Henry

Explorer

Thank you Henry. In case if we don't set SSL between AD and Impala/Hive, does it encrypt the password automatically? I see if we set ldap_passwords_in_clear_ok, false then password will not be in clear form? But I am not sure about user id? If both user id and password encrypted by default what kind of encryption logic is used?

 

 

Regards

Sreeman

Rising Star

There is no encryption other than that provided by SSL, which affects all traffic. If you set --ldap_passwords_in_clear_ok=false, Impala will fail to start unless the connection to the AD server has SSL enabled.

 

Henry

New Contributor

Henry - can you give a bit of background as to how --ldap_passwords_in_clear_ok is supposed to be used? We have a secure impala to LDAP connection but have not set the --ldap_passwords_in_clear_ok parameter. Do we need to?

Rising Star

You should use --ldap_passwords_in_clear_ok *only* if you're comfortable with Impala sending passwords in the clear to the LDAP server, i.e. not by a secure connection.

 

This flag is mainly as an override for secure-by-default configuration. You should not set it unless there is no way to secure the password-carrying connections.

 

Henry

New Contributor
Ok got it. Just wanted to make sure we don't have to set it to false. Thank you.

Hi, 

 

Is there a way to use SSL encryption ( or any other encryption) only for the login credentials encryption and not the other traffic on the user -> impala connection 

I am using Tableau to extract data from Impala. In order to authenticate users, I activated LDAP authentication on impala, and in order to encrypt the user credentials transmission from Tableau to Impala, I used the SSL encryption. However, SSL encryption is applied to all traffic and it really slows down the data extraction from Impala. 

 

I am looking for a way to encrypt only the user credentials during the authentication step and then not use SSL for the rest of the data traffice. Is there a way to do it ? 

 

Thanks in advance. 

 

 

 

Rising Star

Hi - 

 

Not currently, I'm afraid. Authentication and data access go over the same connection.

 

To change that, Impala's clients would have to connect over another channel after authentication. The client would have to receive during authentication some shared secret token allowing it to prove to the server that it's ok to access data. We don't currently have any plans to implement this.

 

Best,

Henry

In that case, can you suggest a way to speed up the SSL communication with Impala ?

Currently we are using Tableau to extract data from Impala. And with SSL activated, the data extraction is at least 30x to 100x slower than before.

Did you see this behavior ? Do you have a remedy for it ?

Thanks in advance.

; ;