MapR 5.0 Documentation : Impala Security

You can configure Impala to use the following security features on a secure and non-secure MapR cluster:


You can configure LDAP authentication for client connections with Impala. You can use LDAP authentication with Sentry to authenticate users and provide precise levels of access to users. See LDAP Authentication for Impala.

KerberosYou can configure Impala to use Kerberos for authentication. You can also use Sentry authorization in conjunction with Kerberos if you want to configure user-level access to databases, tables, columns, and partitions. See Enable Kerberos Authentication for Impala.

You can enable SSL network encryption for communication between Impala and client programs and between Impala nodes in a cluster. See Enable SSL for Impala.

Impala does not directly support SASL-enabled MapR clusters and cannot authenticate users accessing data from an Impala client. You can enable MapR SASL for the Hive metastore. When the Hive metastore is SASL enabled, Impala can run in any security mode (none, LDAP, or Kerberos). To avoid security holes, configure Impala on Kerberos or LDAP. If Impala is not secure or only has LDAP authentication enabled, only the client connection to Impala is authenticated and there is no wire level encryption or server-to-server authentication.

You can configure Impala to use security features and components listed below on a secure MapR cluster when Kerberos is used for authentication and Hive is also secure. 

The following security matrix assumes that each component is configured with Kerberos for authentication. For example, if you run Impala with Hive and Hue, each component (Impala, Hive, and Hue) must use Kerberos for authentication.

ComponentVersionImpala 1.4.1Impala 2.2.0

The following table provides the supported and unsupported component and security combinations on a secure MapR cluster:

Impala Security ModeHive + MapR SASLHive + Kerberos
Nonesupportednot supported
LDAPsupportednot supported