MapR 5.0 Documentation : Enable Kerberos Authentication

You can enable Kerberos authentication for Impala on a secure and non-secure MapR cluster.

To enable Kerberos authentication for Impala, complete the following steps:

Once you have configured Impala to use Kerberos for authentication, restart Impala and then start the impala-shell with the -s mapr -k flag to enable Kerberos.

Step 1: Copy hive-site.xml and core-site.xml to Impala

Copy the following files to the $IMPALA_HOME/conf/ directory:

  • $HIVE_HOME/conf/hive-site.xml
  • $HADOOP_HOME/etc/hadoop/core-site.xml

Note: Any time the hive-site.xml file is modified, copy it to the $IMPALA_HOME/conf/ directory.

Step 2: Create Service Principals

Create service principals for each host that runs impalad, catalogd, or statestored and for the HTTP service. Principal names take the following form: 
mapr/<fully.qualified.domain.name>@<KERBEROS.REALM>

To create service principals, complete the following steps:

  1. Create an Impala service principal and specify the following information:
    • Name “mapr”
    • Fully qualified domain name of each node running impalad
    • Realm name

      Example
      kadmin: addprinc -requires_preauth -randkey -allow_renewable mapr/impala_host.example.com@TEST.EXAMPLE.COM
  2. Create an HTTP service principal. 

    Example
    kadmin: addprinc -randkey HTTP/impala_host.example.com@TEST.EXAMPLE.COM

Step 3: Create keytab Files

Create, merge, and distribute keytab files for the principals.

To create keytab files, complete the following steps:

  1. Create keytab files with both principals.

    Example
    kadmin: xst -k /opt/mapr/conf/mapr.keytab mapr/impala_host.example.com
  2. Use the keytab utility to read the content of the keytab files and then write the content to a new file.

    Example
    ktutil
    ktutil: rkt /opt/mapr/conf/mapr.keytab
    ktutil: rkt /opt/mapr/conf/http.keytab
    ktutil: wkt /opt/mapr/conf/mapr-http.keytab
    ktutil: quit
  3. Optionally, test the credentials in the merged keytab file to verify their validity and to verify that “renew until” data is set to a future time.

    Example
    klist -e -k -t /opt/mapr/conf/mapr-http.keytab
  4. Change the file owner to the mapr user to make mapr the only user authorized to read the file content.

    Example
    chmod 400 /opt/mapr/conf/mapr-http.keytab

Step 4: Edit env.sh

Edit /opt/mapr/impala/impala-<version>/conf/env.sh to include the fully qualified domain name for the IMPALA_STATE_STORE_HOST, IMPALA_STATE_STORE_HOST variables, and Kerberos options.

Complete the following steps to edit env.sh:

  1. Set the IMPALA_STATE_STORE_HOST and CATALOG_SERVICE_HOST variables to point to the fully qualified domain name.

    Example
    IMPALA_STATE_STORE_HOST=impala_host.example.com
    IMPALA_STATE_STORE_PORT=24000
    CATALOG_SERVICE_HOST=impala_host.example.com
  2. Add the following Kerberos options for impalad, catalogd, and statestored daemons using the IMPALA_SERVER_ARGS, IMPALA_CATALOG_ARGS, and IMPALA_STATE_STORE_ARGS variables:

    Kerberos Options
    -kerberos_reinit_interval=60
    -principal=mapr/impala_host.example.com@TEST.EXAMPLE.COM
    -keytab_file=/opt/mapr/conf/mapr-http.keytab
    Example
    IMPALA_SERVER_ARGS=" \
         -log_dir=${IMPALA_LOG_DIR} \
         -state_store_port=${IMPALA_STATE_STORE_PORT} \
         -use_statestore \
         -authorized_proxy_user_config=mapr=* \
         -state_store_host=${IMPALA_STATE_STORE_HOST} \
         -catalog_service_host=${CATALOG_SERVICE_HOST} \
         -be_port=${IMPALA_BACKEND_PORT} \
         -disable_admission_control=true \
         -kerberos_reinit_interval=60 \
         -principal=mapr/impala_host.example.com@TEST.EXAMPLE.COM \
         -keytab_file=/opt/mapr/conf/mapr-http.keytab "
  3. Restart Impala and the catalog and statestore services. See Managing Impala.

  4. To enable Kerberos from the impala-shell, start the impala-shell with the -s mapr -k flag.

    Example
    impala-shell -s mapr -k

For more information on changing the Impala defaults specified in env.sh, see Impala-Shell Commands and Command Line Options.