Philip Zeyliger has posted comments on this change. ( http://gerrit.cloudera.org:8080/7241 )
Change subject: IMPALA-2782: Allow impala-shell to connect directly to impalad when configured with load balancer and kerberos. ...................................................................... Patch Set 4: astadler: So you're saying that it's the client that is checking the host section of the principal it's connecting to, and that's what we're overriding. If so, for consistency with JDBC, I think it's a fine thing to do this. > The kerberos_host_fqdn option exposes the SASL client's hostname attribute to > If set, it will be the sasl transport client's hostname used" " to > authenticate via kerberos") Both of these strings confused me. It's not meaningfully the "client's hostname" in my reading of it. Perhaps: "If set, overrides the expected hostname of the Impalad's kerberos service principal. impala-shell will check that the server's principal matches this hostname. This may be used when impalad is configured to be accessed via a load-balancer, but it is desired for impala-shell to talk to a specific impalad directly." Is that accurate? Do you think it's clearer? Does impyla need a similar option? -- To view, visit http://gerrit.cloudera.org:8080/7241 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4726226a7a3817421b133f74dd4f4cf8c52135f9 Gerrit-Change-Number: 7241 Gerrit-PatchSet: 4 Gerrit-Owner: Vincent Tran <[email protected]> Gerrit-Reviewer: Alex Behm <[email protected]> Gerrit-Reviewer: Dan Hecht <[email protected]> Gerrit-Reviewer: Lars Volker <[email protected]> Gerrit-Reviewer: Philip Zeyliger <[email protected]> Gerrit-Reviewer: Tim Armstrong <[email protected]> Gerrit-Reviewer: Vincent Tran <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-Comment-Date: Sat, 17 Mar 2018 16:50:48 +0000 Gerrit-HasComments: No
