Done. Added under "Useful Tips for New Impala Developers".
On Thu, Feb 22, 2018 at 1:17 PM, Tim Armstrong <tarmstr...@cloudera.com> wrote: > If you figured this out, it would be helpful to add it to the developer > wiki: https://cwiki.apache.org/confluence/display/IMPALA/Impala+Home . I > gave you permissions to edit pages on it. > > On Wed, Feb 21, 2018 at 6:36 PM, Vincent Tran <vtt...@cloudera.com> wrote: > > > Please disregard. It turns out that both of the flags below were pointed > to > > locahost. SSL certificate's CN is sensitive to that. Simply setting those > > flags to the FQDN matching your certificate's CN will do the trick. > > --state_store_host > > --catalog_service_host > > > > On Wed, Feb 21, 2018 at 7:13 PM, Vincent Tran <vtt...@cloudera.com> > wrote: > > > > > Hi all, > > > > > > Is this the correct way to start the minicluster with SSL? > > > I have not had much luck with this (I've also tried to generate a new > > self > > > signed cert/key pair, but Catalog couldn't connect to Statestore in > that > > > case) : > > > > > > > > > $IMPALA_HOME/bin/start-impala-cluster.py --impalad_args='--ssl_server_ > > > certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem > > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > > server-cert.pem' > > > --catalogd_args='--ssl_server_certificate=$IMPALA_HOME/be/ > > src/testutil/server-cert.pem > > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > > server-cert.pem' > > > --state_store_args='--ssl_server_certificate=$IMPALA_ > > > HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_ > > > HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$ > > > IMPALA_HOME/be/src/testutil/server-cert.pem' > > > > > > > > > Starting State Store logging to /data/vtran/Impala/logs/ > > > cluster/statestored.INFO > > > Starting Catalog Service logging to /data/vtran/Impala/logs/ > > > cluster/catalogd.INFO > > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > > cluster/impalad.INFO > > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > > cluster/impalad_node1.INFO > > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > > cluster/impalad_node2.INFO > > > MainThread: Found 3 impalad/1 statestored/1 catalogd process(es) > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > ... > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > Error starting cluster: num_known_live_backends did not reach expected > > > value in time > > > > > > > > > > > > > > > Daemon 1 > > > https://gist.github.com/vtstran/0d8db4959db7de6407a9e5da1ed4375c > > > > > > Statestore > > > https://gist.github.com/vtstran/93c37a44109900325070a5c67eddcff9 > > > > > > openssl s_client output > > > https://gist.github.com/vtstran/cd26162457f9bcc271f6e8e0c1452078 > > > > > > > > > > > > *TLDNR:* statestore has this complaint: > > > > > > I0221 18:50:08.176901 98753 client-cache.h:304] RPC Error: Client for > > > blackbox:23020 hit an unexpected exception: authorize: cannot authorize > > > peer, type: N6apache6thrift9transport13TSSLExceptionE, rpc: > > > N6impala18THeartbeatResponseE, send: not done > > > But I verified with openssl s_client that the provided CA should > connect > > > okay. > > > > > > So I feel like I may be missing something subtle here... > > > > > > > > > > > > > > > >
