[jira] [Commented] (IMPALA-10745) impala-shell should support Kerberos over HTTP

Thu, 10 Jun 2021 09:28:05 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-10745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17361067#comment-17361067
 ] 

Fang-Yu Rao commented on IMPALA-10745:
--------------------------------------

Tagged [~csringhofer] since you are more versed in this area.

> impala-shell should support Kerberos over HTTP
> ----------------------------------------------
>
>                 Key: IMPALA-10745
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10745
>             Project: IMPALA
>          Issue Type: New Feature
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> Currently if we try to connect to a Kerberized impalad via "{{hs2-http}}" by 
> executing "{{impala-shell --protocol='hs2-http' -k}}", there would be the 
> following error.
> {noformat}
> [root@engesc8305d07-2 impalad]# impala-shell --protocol='hs2-http' -k
> Starting Impala Shell using Kerberos authentication
> Using service name 'impala'
> Warning: --connect_timeout_ms is currently ignored with HTTP transport.
> Kerberos not supported with HTTP endpoints.
> Error connecting: NotImplementedError,
> ***********************************************************************************
> Welcome to the Impala shell.
> (Impala Shell v3.4.0-SNAPSHOT (134517e) built on Thu Nov 26 15:55:15 UTC 2020)
> You can run a single query from the command line using the '-q' option.
> ***********************************************************************************
> [Not connected] >
> {noformat}
> In theory Impala already supports Kerberos over the HTTP protocol since we 
> are able to connect to a Kerberized impalad via a JDBC driver.
> {noformat}
> [root@c3512-node2 ~]# beeline -d "com.cloudera.impala.jdbc41.Driver" -u 
> 'jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit'
>  -e 'select 1'
> Connecting to 
> jdbc:impala://c3512-node3.coelab.cloudera.com:28000/;transportMode=http;httpPath=cliservice;AuthMech=1;KrbRealm=SUPPORT.COM;KrbHostFQDN=_HOST;KrbServiceName=impala;SSL=1;SSLTrustStore=/tmp/gateway-client-trust.jks;SSLTrustStorePwd=changeit
> Connected to: Impala (version 3.4.0-SNAPSHOT)
> Driver: ImpalaJDBC (version 02.06.23.1028)
> +---------+
> | expr_0 |
> +---------+
> | 1 |
> +---------+
> 1 row selected (1.227 seconds)
> {noformat}
> Specifically, IMPALA-8783 added Kerberos SPNEGO support to the http hs2 
> server and yet later on in IMPALA-8932 we added a condition to not try to 
> connect via Kerberos if the protocol is HTTP at 
> [https://gerrit.cloudera.org/c/14201/3/shell/impala_shell.py#816].
> It seems we could remove this additional condition to allow impala-shell to 
> support Kerberos over HTTP.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to