Great spot! Indeed you are right, the KrbHostFQDN is not the host where kerberos runs on, but will be the impala host. This fixed my error. Many thanks for taking the time to read through the post and give the appropriate solution! PS: I believe then KrbHostFQDN will always be the same as the impala host we connect to (the value "impalahost" in jdbc:impala://impalahost), so one could ask why it is worth having a separate config option for this.
... View more
Dear community, we have a problem when connecting to impala with the impala jdbc connector. Our cluster setup is: cdh 6.2/impala 3.2 kerberos enabled ssl activated. Our cluster 's configuration has been checked thoroughly and the cluster is correctly processing high volumes of data, using kerberos authentication and has security/sentry etc in place. SSL and kerberos processes work fine, in other words this is not a cluster we just started setting up. We have an issue when making a connection from a java program using the impala jdbc connector. I am following the documentation on https://docs.cloudera.com/documentation/other/connectors/impala-jdbc/2-6-11/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf (-> page 12 and 88 contain detailed explanation about the connection strings and each possible option for Kerberos ). When we use a connection string including ssl and authentication mechanism 3 and provide the ldap user/password this works fine: #WORKS FINE impalaConnectionURL=jdbc:impala://mycluster.lan:21050/default;AuthMech=3;krbRealm=MYCOMPANY.COM;SSL=1;SSLKeyStore=/opt/cloudera/security/thekey.jks;SSLKeyStorePwd=correctpassword;UID=correctuser;PWD=correctpassword However we would like to connect using Kerberos authentication: #DOES NOT WORK impalaConnectionURL=jdbc:impala://mycluster.lan:21050/default;AuthMech=1;krbRealm=MYCOMPANY.COM;KrbHostFQDN=correctnode.lan;KrbServiceName=impala;SSL=1;SSLKeyStore=/opt/cloudera/security/thekey.jks;SSLKeyStorePwd=correctpassword;LogLevel=6 Breakdown of field used + motivation that values are correct in our opinion: AuthMech=1; -->Kerberos Authentication krbRealm=MYCOMPANY.COM; -->correct as klist returns: user@MYCOMPANY.COM KrbHostFQDN=correctnode.lan; --> server where kerberos runs (on this server sudo service krb5kdc status shows it is active) KrbServiceName=impala --> service for which kerberos authenitcation is used: this case impala LogLevel=6 -->want to print as much info as possible SSL=1; --> using ssl SSLKeyStore=/opt/cloudera/security/pki/server.jks; --> specifying keystore SSLKeyStorePwd=<pwd> --> password for keystore --> this is correct as it works when we do not use kerberos (see above) Encountered error (JAVA log): ------------------------------------------- java.sql.SQLException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source) at com.cloudera.impala.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.impala.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source) at com.cloudera.impala.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) ... at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1855) Caused by: com.cloudera.impala.support.exceptions.GeneralException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. ... 16 common frames omitted impala log: ---------------- I1029 14:08:34.201046 119410 thrift-util.cc:123] TAcceptQueueServer: Caught TException: sasl Peer indicated failure: I am wondering if there are known issues using both kerberos and ssl in the impala jdbc string because of : 1)in the docs /online all examples for SSL use authentication mechanism=3- I have not found a single example using kerberos and ssl combined 2)I noticed a remark (https://docs.cloudera.com/documentation/enterprise/6/6.2/topics/impala_jdbc.html) :Prior to CDH 5.7 / Impala 2.5, the Hive JDBC driver did not support connections that use both Kerberos authentication and SSL encryption. Is possibly a similar issue also known for impala? Thanks for any thoughts/input!
... View more