[email protected] has posted comments on this change. ( http://gerrit.cloudera.org:8080/7241 )
Change subject: IMPALA-2782: Allow impala-shell to connect directly to impalad when configured with load balancer and kerberos. ...................................................................... Patch Set 4: There is no security bug. The issue is that when you add a load-balancer in front of impala, or any service for that matter you have to change the hostname in the service principal to be that of the load balancer url e.g. service/hostname to impala/loadbalancer.apache.org, since you as the client don't know which host you are going to get when going through a load-balancer. The problem we are trying to fix is that impala-shell client currently doesn't let you configure the hostname of the daemon you want to connect to and the host section of the service principal you are expecting from the daemon independently. Currently it always assumes they are the same https://github.com/apache/impala/blob/63f17e9ceaed92a28ea12567a36b746e54fffdb3/shell/impala_client.py#L278. So when you want to go around the load-balancer and target a daemon directly to troubleshoot a load-balancer issue for example you can not do so using impala-shell. This functionality is already in the JDBC driver by configuring KrbHostFQDN=node1.example.com;KrbServiceName=impala . Obviously there is situations where you would like to be able to test api v1 and api v2 which is why we are trying to implement this feature that already exists in the JDBC driver in impala-shell as well. Hope that clarifies things. -- To view, visit http://gerrit.cloudera.org:8080/7241 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4726226a7a3817421b133f74dd4f4cf8c52135f9 Gerrit-Change-Number: 7241 Gerrit-PatchSet: 4 Gerrit-Owner: Vincent Tran <[email protected]> Gerrit-Reviewer: Alex Behm <[email protected]> Gerrit-Reviewer: Dan Hecht <[email protected]> Gerrit-Reviewer: Lars Volker <[email protected]> Gerrit-Reviewer: Philip Zeyliger <[email protected]> Gerrit-Reviewer: Tim Armstrong <[email protected]> Gerrit-Reviewer: Vincent Tran <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-Comment-Date: Sat, 17 Mar 2018 16:24:51 +0000 Gerrit-HasComments: No
