[jira] [Commented] (IMPALA-14988) Add option to impala-shell to verify server with default certs

Thu, 14 May 2026 13:54:06 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-14988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080999#comment-18080999
 ] 

ASF subversion and git services commented on IMPALA-14988:
----------------------------------------------------------

Commit 8db91f044c1d9daae5a32cee63b1884893b21690 in impala's branch 
refs/heads/master from Csaba Ringhofer
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=8db91f044 ]

IMPALA-14988: Allow verifying server with default CAs in impala-shell

Before this patch impala-shell either used a custom CA certificate
(--ca_cert) or didn't verify the server at all. Added option
--verify_cert to verify the server using default CA certs (usually
set at OS level).

By default server is still not verified - in the future
it may make sense to switch to more secure default. Meanwhile
impalarc can be used to set verify_cert=true without altering
impala-shell invocations.

Based on https://github.com/cloudera/impyla/pull/601

Testing:
- added negative test to check if self-signed test certs
  are rejected
- no positive test as it is harder to add a self-signed
  test cert to the default CA certs

Generated by Claude Sonnet 4.6

Change-Id: I8375443d080876d0c8489cbe4c27193b5f7f9b4b
Reviewed-on: http://gerrit.cloudera.org:8080/24299
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Michael Smith <[email protected]>
Reviewed-by: Joe McDonnell <[email protected]>


> Add option to impala-shell to verify server with default certs
> --------------------------------------------------------------
>
>                 Key: IMPALA-14988
>                 URL: https://issues.apache.org/jira/browse/IMPALA-14988
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Clients
>            Reporter: Csaba Ringhofer
>            Priority: Critical
>              Labels: impala-shell, security
>
> Currently either custom certificates are passed (ca_cert) or the server is 
> unverified. A "middle ground" would be using default ssl verification (based 
> on root CAs in OS).
> Similar feature was added in impyla with arg verify_cert:
> https://github.com/cloudera/impyla/pull/601



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to