IMPALA-6514: [DOCS] impala-shell option for load balancer and Kerberos Change-Id: I50d2063bfbe4838692777e2019ee3f3a991dfc21 Reviewed-on: http://gerrit.cloudera.org:8080/10047 Reviewed-by: Vincent Tran <[email protected]> Reviewed-by: Alex Rodoni <[email protected]> Tested-by: Impala Public Jenkins <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/5960d1b3 Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/5960d1b3 Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/5960d1b3 Branch: refs/heads/master Commit: 5960d1b364a661a81c4513a33b6e9470282de162 Parents: e53bf27 Author: Alex Rodoni <[email protected]> Authored: Thu Apr 12 11:55:18 2018 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Mon Apr 16 01:50:14 2018 +0000 ---------------------------------------------------------------------- docs/topics/impala_proxy.xml | 40 +++++++++++++++++++++++++++---- docs/topics/impala_shell_options.xml | 29 ++++++++++++++++++++++ 2 files changed, 64 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/impala/blob/5960d1b3/docs/topics/impala_proxy.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_proxy.xml b/docs/topics/impala_proxy.xml index 1f5bb4b..588fada 100644 --- a/docs/topics/impala_proxy.xml +++ b/docs/topics/impala_proxy.xml @@ -238,11 +238,41 @@ under the License. verify that the host they are connecting to is the same one that is actually processing the request, to prevent man-in-the-middle attacks. </p> - <note> - Once you enable a proxy server in a Kerberized cluster, users will not - be able to connect to individual impala daemons directly from impala - shell. - </note> + <p> + In <keyword keyref="impala211_full">Impala 2.11</keyword> and lower + versions, once you enable a proxy server in a Kerberized cluster, users + will not be able to connect to individual impala daemons directly from + impala-shell. + </p> + + <p> + In <keyword keyref="impala212_full">Impala 2.12</keyword> and higher, + if you enable a proxy server in a Kerberized cluster, users have an + option to connect to Impala daemons directly from + <cmdname>impala-shell</cmdname> using the <codeph>-b</codeph> / + <codeph>--kerberos_host_fqdn</codeph> option when you start + <cmdname>impala-shell</cmdname>. This option can be used for testing or + troubleshooting purposes, but not recommended for live production + environments as it defeats the purpose of a load balancer/proxy. + </p> + + <p> + Example: +<codeblock> +impala-shell -i impalad-1.mydomain.com -k -b loadbalancer-1.mydomain.com +</codeblock> + </p> + + <p> + Alternatively, with the fully qualified + configurations: +<codeblock>impala-shell --impalad=impalad-1.mydomain.com:21000 --kerberos --kerberos_host_fqdn=loadbalancer-1.mydomain.com</codeblock> + </p> + <p> + See <xref href="impala_shell_options.xml#shell_options"/> for + information about the option. + </p> + <p> To clarify that the load-balancing proxy server is legitimate, perform these extra Kerberos setup steps: http://git-wip-us.apache.org/repos/asf/impala/blob/5960d1b3/docs/topics/impala_shell_options.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_shell_options.xml b/docs/topics/impala_shell_options.xml index d0407c9..73e2711 100644 --- a/docs/topics/impala_shell_options.xml +++ b/docs/topics/impala_shell_options.xml @@ -106,6 +106,35 @@ under the License. <row> <entry> <p> + -b or + </p> + <p> + --kerberos_host_fqdn + </p> + </entry> + <entry> + <p> + kerberos_host_fqdn= + </p> + <p> + <varname>load-balancer-hostname</varname> + </p> + </entry> + <entry> + <p> + If set, the setting overrides the expected hostname of the + Impala daemon's Kerberos service principal. + <cmdname>impala-shell</cmdname> will check that the server's + principal matches this hostname. This may be used when + <codeph>impalad</codeph> is configured to be accessed via a + load-balancer, but it is desired for impala-shell to talk to a + specific <codeph>impalad</codeph> directly. + </p> + </entry> + </row> + <row> + <entry> + <p> --print_header </p> </entry>
