Re: minicluster with SSL
Done. Added under "Useful Tips for New Impala Developers". On Thu, Feb 22, 2018 at 1:17 PM, Tim Armstrong wrote: > If you figured this out, it would be helpful to add it to the developer > wiki: https://cwiki.apache.org/confluence/display/IMPALA/Impala+Home . I > gave you permissions to edit pages on it. > > On Wed, Feb 21, 2018 at 6:36 PM, Vincent Tran wrote: > > > Please disregard. It turns out that both of the flags below were pointed > to > > locahost. SSL certificate's CN is sensitive to that. Simply setting those > > flags to the FQDN matching your certificate's CN will do the trick. > > --state_store_host > > --catalog_service_host > > > > On Wed, Feb 21, 2018 at 7:13 PM, Vincent Tran > wrote: > > > > > Hi all, > > > > > > Is this the correct way to start the minicluster with SSL? > > > I have not had much luck with this (I've also tried to generate a new > > self > > > signed cert/key pair, but Catalog couldn't connect to Statestore in > that > > > case) : > > > > > > > > > $IMPALA_HOME/bin/start-impala-cluster.py --impalad_args='--ssl_server_ > > > certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem > > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > > server-cert.pem' > > > --catalogd_args='--ssl_server_certificate=$IMPALA_HOME/be/ > > src/testutil/server-cert.pem > > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > > server-cert.pem' > > > --state_store_args='--ssl_server_certificate=$IMPALA_ > > > HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_ > > > HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$ > > > IMPALA_HOME/be/src/testutil/server-cert.pem' > > > > > > > > > Starting State Store logging to /data/vtran/Impala/logs/ > > > cluster/statestored.INFO > > > Starting Catalog Service logging to /data/vtran/Impala/logs/ > > > cluster/catalogd.INFO > > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > > cluster/impalad.INFO > > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > > cluster/impalad_node1.INFO > > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > > cluster/impalad_node2.INFO > > > MainThread: Found 3 impalad/1 statestored/1 catalogd process(es) > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > ... > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > MainThread: Getting num_known_live_backends from blackbox:25000 > > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > > Error starting cluster: num_known_live_backends did not reach expected > > > value in time > > > > > > > > > > > > > > > Daemon 1 > > > https://gist.github.com/vtstran/0d8db4959db7de6407a9e5da1ed4375c > > > > > > Statestore > > > https://gist.github.com/vtstran/93c37a44109900325070a5c67eddcff9 > > > > > > openssl s_client output > > > https://gist.github.com/vtstran/cd26162457f9bcc271f6e8e0c1452078 > > > > > > > > > > > > *TLDNR:* statestore has this complaint: > > > > > > I0221 18:50:08.176901 98753 client-cache.h:304] RPC Error: Client for > > > blackbox:23020 hit an unexpected exception: authorize: cannot authorize > > > peer, type: N6apache6thrift9transport13TSSLExceptionE, rpc: > > > N6impala18THeartbeatResponseE, send: not done > > > But I verified with openssl s_client that the provided CA should > connect > > > okay. > > > > > > So I feel like I may be missing something subtle here... > > > > > > > > > > > > > > > >
Re: minicluster with SSL
If you figured this out, it would be helpful to add it to the developer wiki: https://cwiki.apache.org/confluence/display/IMPALA/Impala+Home . I gave you permissions to edit pages on it. On Wed, Feb 21, 2018 at 6:36 PM, Vincent Tran wrote: > Please disregard. It turns out that both of the flags below were pointed to > locahost. SSL certificate's CN is sensitive to that. Simply setting those > flags to the FQDN matching your certificate's CN will do the trick. > --state_store_host > --catalog_service_host > > On Wed, Feb 21, 2018 at 7:13 PM, Vincent Tran wrote: > > > Hi all, > > > > Is this the correct way to start the minicluster with SSL? > > I have not had much luck with this (I've also tried to generate a new > self > > signed cert/key pair, but Catalog couldn't connect to Statestore in that > > case) : > > > > > > $IMPALA_HOME/bin/start-impala-cluster.py --impalad_args='--ssl_server_ > > certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > server-cert.pem' > > --catalogd_args='--ssl_server_certificate=$IMPALA_HOME/be/ > src/testutil/server-cert.pem > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > server-cert.pem' > > --state_store_args='--ssl_server_certificate=$IMPALA_ > > HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_ > > HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$ > > IMPALA_HOME/be/src/testutil/server-cert.pem' > > > > > > Starting State Store logging to /data/vtran/Impala/logs/ > > cluster/statestored.INFO > > Starting Catalog Service logging to /data/vtran/Impala/logs/ > > cluster/catalogd.INFO > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > cluster/impalad.INFO > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > cluster/impalad_node1.INFO > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > cluster/impalad_node2.INFO > > MainThread: Found 3 impalad/1 statestored/1 catalogd process(es) > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > ... > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > Error starting cluster: num_known_live_backends did not reach expected > > value in time > > > > > > > > > > Daemon 1 > > https://gist.github.com/vtstran/0d8db4959db7de6407a9e5da1ed4375c > > > > Statestore > > https://gist.github.com/vtstran/93c37a44109900325070a5c67eddcff9 > > > > openssl s_client output > > https://gist.github.com/vtstran/cd26162457f9bcc271f6e8e0c1452078 > > > > > > > > *TLDNR:* statestore has this complaint: > > > > I0221 18:50:08.176901 98753 client-cache.h:304] RPC Error: Client for > > blackbox:23020 hit an unexpected exception: authorize: cannot authorize > > peer, type: N6apache6thrift9transport13TSSLExceptionE, rpc: > > N6impala18THeartbeatResponseE, send: not done > > But I verified with openssl s_client that the provided CA should connect > > okay. > > > > So I feel like I may be missing something subtle here... > > > > > > > > > -- > Vincent T. Tran > Customer Operations Engineer > Cloudera, Inc. >
Re: minicluster with SSL
Please disregard. It turns out that both of the flags below were pointed to locahost. SSL certificate's CN is sensitive to that. Simply setting those flags to the FQDN matching your certificate's CN will do the trick. --state_store_host --catalog_service_host On Wed, Feb 21, 2018 at 7:13 PM, Vincent Tran wrote: > Hi all, > > Is this the correct way to start the minicluster with SSL? > I have not had much luck with this (I've also tried to generate a new self > signed cert/key pair, but Catalog couldn't connect to Statestore in that > case) : > > > $IMPALA_HOME/bin/start-impala-cluster.py --impalad_args='--ssl_server_ > certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem' > --catalogd_args='--ssl_server_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem' > --state_store_args='--ssl_server_certificate=$IMPALA_ > HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_ > HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$ > IMPALA_HOME/be/src/testutil/server-cert.pem' > > > Starting State Store logging to /data/vtran/Impala/logs/ > cluster/statestored.INFO > Starting Catalog Service logging to /data/vtran/Impala/logs/ > cluster/catalogd.INFO > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > cluster/impalad.INFO > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > cluster/impalad_node1.INFO > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > cluster/impalad_node2.INFO > MainThread: Found 3 impalad/1 statestored/1 catalogd process(es) > MainThread: Getting num_known_live_backends from blackbox:25000 > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > MainThread: Getting num_known_live_backends from blackbox:25000 > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > MainThread: Getting num_known_live_backends from blackbox:25000 > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > ... > MainThread: Getting num_known_live_backends from blackbox:25000 > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > MainThread: Getting num_known_live_backends from blackbox:25000 > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > MainThread: Getting num_known_live_backends from blackbox:25000 > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > MainThread: Getting num_known_live_backends from blackbox:25000 > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > Error starting cluster: num_known_live_backends did not reach expected > value in time > > > > > Daemon 1 > https://gist.github.com/vtstran/0d8db4959db7de6407a9e5da1ed4375c > > Statestore > https://gist.github.com/vtstran/93c37a44109900325070a5c67eddcff9 > > openssl s_client output > https://gist.github.com/vtstran/cd26162457f9bcc271f6e8e0c1452078 > > > > *TLDNR:* statestore has this complaint: > > I0221 18:50:08.176901 98753 client-cache.h:304] RPC Error: Client for > blackbox:23020 hit an unexpected exception: authorize: cannot authorize > peer, type: N6apache6thrift9transport13TSSLExceptionE, rpc: > N6impala18THeartbeatResponseE, send: not done > But I verified with openssl s_client that the provided CA should connect > okay. > > So I feel like I may be missing something subtle here... > > > -- Vincent T. Tran Customer Operations Engineer Cloudera, Inc.
