Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

SSL and LDAP architecture with in Impala-Need to study

Labels:
avatar
author-rank Sreeman
Explorer

Created on ‎07-30-2014 10:35 PM - edited ‎09-16-2022 02:03 AM

Hello,

I was trying to figure out what exactly happens when we enable SSL and LDAP on Impala cluster and the same integrated with any BI tool (client). I mean, I would like to understand each call flow, after SSL handshake how the data get transfered, basically a sequence diagram and which functions in the source code takes care of this. I hardly found good extent on SSL and LDAP working procedure in the cloudera documentation.

 

Any one has better links or documents for the same.

 

 

Regards

Sreeman

 

8,884 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank HenryR author-rank
Expert Contributor

Created ‎08-04-2014 11:55 AM

Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.

 

Henry

View solution in original post

8,797 Views
11 REPLIES 11

avatar
author-rank HenryR author-rank
Expert Contributor

Created ‎08-01-2014 03:56 PM

When LDAP is enabled, the flow is like this:

 

  1. The client (e.g. the Impala shell) opens a connection to Impala and indicates that it wants to use LDAP authentication
  2. Impala accepts the connection and the username and password from the client
  3. Impala opens a connection to the LDAP server, and calls ldap_simple_bind_s(user, pass) on that connection
  4. If successful, the client is authenticated, if not its connection is closed.

If SSL is enabled either between the client and the server or between the server and the LDAP server, that doesn't change much except to say that the connection is secured by SSL before any further data are exchanged on it.

 

The code to actually perform the authentication is here: https://github.com/cloudera/Impala/blob/master/be/src/rpc/authentication.cc (see SaslLdapCheckPass() in particular). 

 

Henry

8,372 Views

avatar
author-rank Sreeman
Explorer

Created ‎08-03-2014 11:34 PM

Thanks Henry for giving me the github link. Let's in this case I want to establish SSL connection between Tableau server and Impala server and also between Impala server and Active Directory.Does impala support it? I mean while enabling SSL, we can provide only one SSL certificate for the ssl server certifcate path parameter? Am I right?

 

Regards

Sreeman

8,365 Views
0 Kudos

avatar
author-rank HenryR author-rank
Expert Contributor

Created ‎08-04-2014 11:55 AM

Yes, Impala supports that configuration. You would use --ssl_server_certificate to secure Impala<-> client connections, and --ldap_ca_certificate to secure Impala <-> LDAP connections.

 

Henry

8,798 Views

avatar
author-rank Sreeman
Explorer

Created ‎08-05-2014 02:56 AM

Thank you Henry. In case if we don't set SSL between AD and Impala/Hive, does it encrypt the password automatically? I see if we set ldap_passwords_in_clear_ok, false then password will not be in clear form? But I am not sure about user id? If both user id and password encrypted by default what kind of encryption logic is used?

 

 

Regards

Sreeman

8,351 Views
0 Kudos

avatar
author-rank HenryR author-rank
Expert Contributor

Created ‎08-05-2014 10:52 AM

There is no encryption other than that provided by SSL, which affects all traffic. If you set --ldap_passwords_in_clear_ok=false, Impala will fail to start unless the connection to the AD server has SSL enabled.

 

Henry

8,348 Views

avatar
author-rank smarinov
Explorer

Created on ‎06-24-2015 07:58 AM - edited ‎06-24-2015 07:59 AM

Henry - can you give a bit of background as to how --ldap_passwords_in_clear_ok is supposed to be used? We have a secure impala to LDAP connection but have not set the --ldap_passwords_in_clear_ok parameter. Do we need to?

8,111 Views
0 Kudos

avatar
author-rank HenryR author-rank
Expert Contributor

Created ‎06-24-2015 11:02 AM

You should use --ldap_passwords_in_clear_ok *only* if you're comfortable with Impala sending passwords in the clear to the LDAP server, i.e. not by a secure connection.

 

This flag is mainly as an override for secure-by-default configuration. You should not set it unless there is no way to secure the password-carrying connections.

 

Henry

8,103 Views
0 Kudos

avatar
author-rank smarinov
Explorer

Created ‎06-24-2015 11:05 AM

Ok got it. Just wanted to make sure we don't have to set it to false. Thank you.

8,102 Views
0 Kudos

avatar
author-rank zeeshan.khan
Explorer

Created on ‎07-23-2015 10:02 AM - edited ‎07-24-2015 04:16 AM

Hi, 

 

Is there a way to use SSL encryption ( or any other encryption) only for the login credentials encryption and not the other traffic on the user -> impala connection 

I am using Tableau to extract data from Impala. In order to authenticate users, I activated LDAP authentication on impala, and in order to encrypt the user credentials transmission from Tableau to Impala, I used the SSL encryption. However, SSL encryption is applied to all traffic and it really slows down the data extraction from Impala. 

 

I am looking for a way to encrypt only the user credentials during the authentication step and then not use SSL for the rest of the data traffice. Is there a way to do it ? 

 

Thanks in advance. 

 

 

 

8,019 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements