Hi all, Is this the correct way to start the minicluster with SSL? I have not had much luck with this (I've also tried to generate a new self signed cert/key pair, but Catalog couldn't connect to Statestore in that case) :
$IMPALA_HOME/bin/start-impala-cluster.py --impalad_args='--ssl_server_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem' --catalogd_args='--ssl_server_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem' --state_store_args='--ssl_server_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem' Starting State Store logging to /data/vtran/Impala/logs/cluster/statestored.INFO Starting Catalog Service logging to /data/vtran/Impala/logs/cluster/catalogd.INFO Starting Impala Daemon logging to /data/vtran/Impala/logs/cluster/impalad.INFO Starting Impala Daemon logging to /data/vtran/Impala/logs/cluster/impalad_node1.INFO Starting Impala Daemon logging to /data/vtran/Impala/logs/cluster/impalad_node2.INFO MainThread: Found 3 impalad/1 statestored/1 catalogd process(es) MainThread: Getting num_known_live_backends from blackbox:25000 MainThread: Waiting for num_known_live_backends=3. Current value: 0 MainThread: Getting num_known_live_backends from blackbox:25000 MainThread: Waiting for num_known_live_backends=3. Current value: 0 MainThread: Getting num_known_live_backends from blackbox:25000 MainThread: Waiting for num_known_live_backends=3. Current value: 0 ... MainThread: Getting num_known_live_backends from blackbox:25000 MainThread: Waiting for num_known_live_backends=3. Current value: 0 MainThread: Getting num_known_live_backends from blackbox:25000 MainThread: Waiting for num_known_live_backends=3. Current value: 0 MainThread: Getting num_known_live_backends from blackbox:25000 MainThread: Waiting for num_known_live_backends=3. Current value: 0 MainThread: Getting num_known_live_backends from blackbox:25000 MainThread: Waiting for num_known_live_backends=3. Current value: 0 Error starting cluster: num_known_live_backends did not reach expected value in time Daemon 1 https://gist.github.com/vtstran/0d8db4959db7de6407a9e5da1ed4375c Statestore https://gist.github.com/vtstran/93c37a44109900325070a5c67eddcff9 openssl s_client output https://gist.github.com/vtstran/cd26162457f9bcc271f6e8e0c1452078 *TLDNR:* statestore has this complaint: I0221 18:50:08.176901 98753 client-cache.h:304] RPC Error: Client for blackbox:23020 hit an unexpected exception: authorize: cannot authorize peer, type: N6apache6thrift9transport13TSSLExceptionE, rpc: N6impala18THeartbeatResponseE, send: not done But I verified with openssl s_client that the provided CA should connect okay. So I feel like I may be missing something subtle here...
