IMPALA-6514: [DOCS] impala-shell option for load balancer and Kerberos

Change-Id: I50d2063bfbe4838692777e2019ee3f3a991dfc21
Reviewed-on: http://gerrit.cloudera.org:8080/10047
Reviewed-by: Vincent Tran <vtt...@cloudera.com>
Reviewed-by: Alex Rodoni <arod...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>


Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/5960d1b3
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/5960d1b3
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/5960d1b3

Branch: refs/heads/master
Commit: 5960d1b364a661a81c4513a33b6e9470282de162
Parents: e53bf27
Author: Alex Rodoni <arod...@cloudera.com>
Authored: Thu Apr 12 11:55:18 2018 -0700
Committer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Committed: Mon Apr 16 01:50:14 2018 +0000

----------------------------------------------------------------------
 docs/topics/impala_proxy.xml         | 40 +++++++++++++++++++++++++++----
 docs/topics/impala_shell_options.xml | 29 ++++++++++++++++++++++
 2 files changed, 64 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/impala/blob/5960d1b3/docs/topics/impala_proxy.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_proxy.xml b/docs/topics/impala_proxy.xml
index 1f5bb4b..588fada 100644
--- a/docs/topics/impala_proxy.xml
+++ b/docs/topics/impala_proxy.xml
@@ -238,11 +238,41 @@ under the License.
         verify that the host they are connecting to is the same one that is
         actually processing the request, to prevent man-in-the-middle attacks.
       </p>
-      <note>
-          Once you enable a proxy server in a Kerberized cluster, users will 
not
-          be able to connect to individual impala daemons directly from impala
-          shell.
-      </note>
+      <p>
+        In <keyword keyref="impala211_full">Impala 2.11</keyword> and lower
+        versions, once you enable a proxy server in a Kerberized cluster, users
+        will not be able to connect to individual impala daemons directly from
+        impala-shell.
+      </p>
+
+      <p>
+        In <keyword keyref="impala212_full">Impala 2.12</keyword> and higher,
+        if you enable a proxy server in a Kerberized cluster, users have an
+        option to connect to Impala daemons directly from
+          <cmdname>impala-shell</cmdname> using the <codeph>-b</codeph> /
+          <codeph>--kerberos_host_fqdn</codeph> option when you start
+          <cmdname>impala-shell</cmdname>. This option can be used for testing 
or
+        troubleshooting purposes, but not recommended for live production
+        environments as it defeats the purpose of a load balancer/proxy.
+      </p>
+
+      <p>
+        Example:
+<codeblock>
+impala-shell -i impalad-1.mydomain.com -k -b loadbalancer-1.mydomain.com
+</codeblock>
+      </p>
+
+      <p>
+        Alternatively, with the fully qualified
+        configurations:
+<codeblock>impala-shell --impalad=impalad-1.mydomain.com:21000 --kerberos 
--kerberos_host_fqdn=loadbalancer-1.mydomain.com</codeblock>
+      </p>
+      <p>
+        See <xref href="impala_shell_options.xml#shell_options"/> for
+        information about the option.
+      </p>
+
       <p>
         To clarify that the load-balancing proxy server is legitimate, perform
         these extra Kerberos setup steps:

http://git-wip-us.apache.org/repos/asf/impala/blob/5960d1b3/docs/topics/impala_shell_options.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_shell_options.xml 
b/docs/topics/impala_shell_options.xml
index d0407c9..73e2711 100644
--- a/docs/topics/impala_shell_options.xml
+++ b/docs/topics/impala_shell_options.xml
@@ -106,6 +106,35 @@ under the License.
             <row>
               <entry>
                 <p>
+                  -b or
+                </p>
+                <p>
+                  --kerberos_host_fqdn
+                </p>
+              </entry>
+              <entry>
+                <p>
+                  kerberos_host_fqdn=
+                </p>
+                <p>
+                  <varname>load-balancer-hostname</varname>
+                </p>
+              </entry>
+              <entry>
+                <p>
+                  If set, the setting overrides the expected hostname of the
+                  Impala daemon's Kerberos service principal.
+                    <cmdname>impala-shell</cmdname> will check that the 
server's
+                  principal matches this hostname. This may be used when
+                    <codeph>impalad</codeph> is configured to be accessed via a
+                  load-balancer, but it is desired for impala-shell to talk to 
a
+                  specific <codeph>impalad</codeph> directly.
+                </p>
+              </entry>
+            </row>
+            <row>
+              <entry>
+                <p>
                   --print_header
                 </p>
               </entry>

Reply via email to