MapR 5.0 Documentation : Enable Kerberos Authentication

You can enable Kerberos authentication for Impala on a secure and non-secure MapR cluster.

To enable Kerberos authentication for Impala, complete the following steps:

Once you have configured Impala to use Kerberos for authentication, restart Impala and then start the impala-shell with the -s mapr -k flag to enable Kerberos.

Step 1: Copy hive-site.xml and core-site.xml to Impala

Copy the following files to the $IMPALA_HOME/conf/ directory:

  • $HIVE_HOME/conf/hive-site.xml
  • $HADOOP_HOME/etc/hadoop/core-site.xml

Note: Any time the hive-site.xml file is modified, copy it to the $IMPALA_HOME/conf/ directory.

Step 2: Create Service Principals

Create service principals for each host that runs impalad, catalogd, or statestored and for the HTTP service. Principal names take the following form: 

To create service principals, complete the following steps:

  1. Create an Impala service principal and specify the following information:
    • Name “mapr”
    • Fully qualified domain name of each node running impalad
    • Realm name

      kadmin: addprinc -requires_preauth -randkey -allow_renewable mapr/
  2. Create an HTTP service principal. 

    kadmin: addprinc -randkey HTTP/

Step 3: Create keytab Files

Create, merge, and distribute keytab files for the principals.

To create keytab files, complete the following steps:

  1. Create keytab files with both principals.

    kadmin: xst -k /opt/mapr/conf/mapr.keytab mapr/
  2. Use the keytab utility to read the content of the keytab files and then write the content to a new file.

    ktutil: rkt /opt/mapr/conf/mapr.keytab
    ktutil: rkt /opt/mapr/conf/http.keytab
    ktutil: wkt /opt/mapr/conf/mapr-http.keytab
    ktutil: quit
  3. Optionally, test the credentials in the merged keytab file to verify their validity and to verify that “renew until” data is set to a future time.

    klist -e -k -t /opt/mapr/conf/mapr-http.keytab
  4. Change the file owner to the mapr user to make mapr the only user authorized to read the file content.

    chmod 400 /opt/mapr/conf/mapr-http.keytab

Step 4: Edit

Edit /opt/mapr/impala/impala-<version>/conf/ to include the fully qualified domain name for the IMPALA_STATE_STORE_HOST, IMPALA_STATE_STORE_HOST variables, and Kerberos options.

Complete the following steps to edit

  1. Set the IMPALA_STATE_STORE_HOST and CATALOG_SERVICE_HOST variables to point to the fully qualified domain name.

  2. Add the following Kerberos options for impalad, catalogd, and statestored daemons using the IMPALA_SERVER_ARGS, IMPALA_CATALOG_ARGS, and IMPALA_STATE_STORE_ARGS variables:

    Kerberos Options
         -log_dir=${IMPALA_LOG_DIR} \
         -state_store_port=${IMPALA_STATE_STORE_PORT} \
         -use_statestore \
         -authorized_proxy_user_config=mapr=* \
         -state_store_host=${IMPALA_STATE_STORE_HOST} \
         -catalog_service_host=${CATALOG_SERVICE_HOST} \
         -be_port=${IMPALA_BACKEND_PORT} \
         -disable_admission_control=true \
         -kerberos_reinit_interval=60 \
         -principal=mapr/ \
         -keytab_file=/opt/mapr/conf/mapr-http.keytab "
  3. Restart Impala and the catalog and statestore services. See Managing Impala.

  4. To enable Kerberos from the impala-shell, start the impala-shell with the -s mapr -k flag.

    impala-shell -s mapr -k

For more information on changing the Impala defaults specified in, see Impala-Shell Commands and Command Line Options.