You can enable Kerberos authentication for Impala on a secure and non-secure MapR cluster.
To enable Kerberos authentication for Impala, complete the following steps:
Once you have configured Impala to use Kerberos for authentication, restart Impala and then start the
impala-shell with the
-s mapr -k flag to enable Kerberos.
Step 1: Copy
core-site.xml to Impala
Copy the following files to the
Note: Any time the
hive-site.xml file is modified, copy it to the
Step 2: Create Service Principals
Create service principals for each host that runs impalad, catalogd, or statestored and for the HTTP service. Principal names take the following form:
To create service principals, complete the following steps:
- Create an Impala service principal and specify the following information:
- Name “mapr”
- Fully qualified domain name of each node running impalad
Create an HTTP service principal.
Step 3: Create
Create, merge, and distribute
keytab files for the principals.
keytab files, complete the following steps:
keytabfiles with both principals.
keytabutility to read the content of the
keytabfiles and then write the content to a new file.
Optionally, test the credentials in the merged
keytabfile to verify their validity and to verify that “
renew until” data is set to a future time.
Change the file owner to the
mapruser to make
maprthe only user authorized to read the file content.
Step 4: Edit
env.sh to include the fully qualified domain name for the
IMPALA_STATE_STORE_HOST variables, and Kerberos options.
Complete the following steps to edit
CATALOG_SERVICE_HOSTvariables to point to the fully qualified domain name.
Add the following Kerberos options for
impalad, catalogd, and
statestoreddaemons using the
Restart Impala and the catalog and statestore services. See Managing Impala.
To enable Kerberos from the impala-shell, start the impala-shell with the
-s mapr -kflag.
For more information on changing the Impala defaults specified in
env.sh, see Impala-Shell Commands and Command Line Options.