Impala Security


Warning: While Impala is supported and compatible with MapR, using Impala is not encouraged for several reasons:
  • By design, Impala security secures data outside the underlying file system, which creates the potential of backdoor access. When you enable Impala authorization using Sentry, the MapR platform security is bypassed and the MapR converged data platform can no longer fully secure your data.
  • If you enable this Impala security, impersonation will be disabled and data ownership will be shifted to the Impala user, which makes the "Impala" data inaccessible by regular users through means other than Hive or Impala (because the users no longer own the data).

You can configure Impala to use the security features listed in the next table on either a secure or a non-secure MapR cluster. If you use the MapR Installer and select Enable Security, Impala will not be automatically secured.

Feature Description
LDAP You can configure LDAP authentication for client connections with Impala. You can use LDAP authentication with Sentry to authenticate users and provide precise levels of access to users. See LDAP Authentication for Impala.
Kerberos You can configure Impala to use Kerberos for authentication. You can also use Sentry authorization in conjunction with Kerberos if you want to configure user-level access to databases, tables, columns, and partitions. See Enable Kerberos Authentication for Impala.
MapR Security

You can configure MapR security between Impala and Hive. See Configure Hive Metastore to use MapR-SASL.

Note: MapR security is not present between the Impala client and the Impala server. To avoid security holes, you must configure the Impala client on Kerberos or LDAP.
SSL You can enable SSL network encryption for communication between Impala and client programs and between Impala nodes in a cluster. See Enable SSL for Impala.
Important: The Impala client does not support MapR ticket security, but you can authentication connections as follows:
  • Between the Impala server and client (JDBC, Impala-shell) - Kerberos or LDAP. However, you might encounter issues with Impala on Kerberos using the JDBC connector.
  • Between Impala (the Impala catalog) and Hive metastore - MapR ticket security or Kerberos.

To avoid security holes, configure Impala on Kerberos or LDAP. If Impala is not secure or only has LDAP authentication enabled, only the client connection to Impala is authenticated and there is no wire level encryption or server-to-server authentication.

You can enable MapR SASL for the Hive metastore. When the Hive metastore is SASL enabled, Impala can run in any security mode (none, LDAP, or Kerberos).

Component Compatibility

You can configure Impala to use the components and/or features listed below on a secure MapR cluster. The following table assumes that each component is configured with Kerberos on Impala. Hive and Hue can be configured with MapR security for authentication.

Note: MapR security is not present between the Impala client and the Impala server. To avoid security holes, you must configure the Impala client on Kerberos or LDAP. Hive and Hue use MapR security.
Component Version Impala 1.4.1 Impala 2.2.0 Impala 2.5.0 Impala 2.7.0
MapR 5.1.x and later Yes Yes Yes Yes
5.0.x Yes Yes No No
4.0.1 Yes No No No
LDAP N/A Yes Yes Yes Yes
Kerberos N/A Yes Yes Yes Yes
Sentry 1.7 No No No Yes
1.6 No Yes Yes No
Hue 1.4 Yes No No No
3.12 No No No Yes
3.9 Yes Yes Yes No
3.6 Yes No No No
Hive 2.1.x No No No Yes
1.2.1 No Yes Yes No
0.13 Yes No No No

The following table lists the supported and unsupported component and security combinations necessary to access the Hive metastore:

Impala Client Security Mode Hive + MapR SASL
Note: The Impala Catalog will access Hive Metastore using MapR security.
Hive + Kerberos
None Supported Not supported
LDAP Supported Not supported
Kerberos Supported
Note: Issues with JDBC might exist.