Hi Russell, Did you happen to look at the 'KrbAuthType' from Page 86 in the docs? https://www.cloudera.com/documentation/other/connectors/impala-jdbc/latest/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf
If you don't specify the KrbAuthType, it would look for the principal in the following order (pasting from the doc): 1. First, the driver tries to obtain the Subject from the current thread's inherited AccessControlContext. If the AccessControlContext contains multiple Subjects, the driver uses the most recent Subject. 2. If the first method does not work, then the driver checks the java.security.auth.login.config system property for a JAAS configuration. If a JAAS configuration is specified, the driver uses that information to create a LoginContext and then uses the Subject associated with it. 3. If the second method does not work, then the driver checks the KRB5_CONFIG and KRB5CCNAME system environment variables for a Kerberos ticket cache. The driver uses the information from the cache to create a LoginContext and then uses the Subject associated with it. In the default case, when you don't have a JAAS conf file, I've noticed that it picks the last kinit-ed user from the kerberos credential cache (step 3) and uses that as the client principal (i.e. the principal you're connecting as). Note that the 'KrbServiceName' is the service principal name of the Impala server and not of the client. Eg: kinit foo <Run JDBC app> In the above case, 'foo' will be used as the client principal and will be used against all the Sentry authorization checks. On Wed, Jun 21, 2017 at 10:04 AM, Russell Harlin <[email protected]> wrote: > > Hi, > > Based on the Impala documentation, it seems like it's required that JDBC > connections use the same Kerberos principal used to start the impalad daemon. > This seems to work fine for me. My questions is, though, if I also want to > use Sentry authorization how does impala distinguish users, since they're all > using the same Kerberos principal? Do we have to pass in the desired user to > the JDBC connection? Does this mean that we have to enable AD as well or can > we use local users? > > Thanks, > > Russell
