jprdonnelly/impala
1
0
Fork 0
mirror of https://github.com/apache/impala.git synced 2025-12-25 02:03:09 -05:00
Code Issues Projects Releases Wiki Activity

Add SSL support for client connections to Impala

Browse Source 
This patch allows Impala to start either Beeswax or HS2 on an
SSL-secured port. SSL is a certificate-based authentication scheme,
where the server provides a certificate to the client as part of the
handshake process. The client verifies that certificate, either by
contacting a trusted third-party certificate authority (CA), or by
accepting a 'self-signed' certificate from the server that is also
provided to the client out-of-band; the client simply compares the two
certificate copies.

Once the certificate is verified, the client and server negotiate an
encryption key for the session, using a public key provided by the
server to encrypt that negotiation. Therefore the server has to have
access to a private key in order to decrypt the encryption key.

Both certificate and key are stored in industry standard .PEM
format. Impala uses the same certificate and key for both Beeswax and
HS2, and the files containing the certificate and key are provided via
--ssl_server_certificate and --ssl_private_key. If either are non-blank,
SSL is enabled for Beeswax and HS2.

The Python shell supports SSL as of this patch via new --ssl and
--ca_cert flags.

Finally, this patch also adds support for Impala's ThriftClients to use
SSL, paving the way for having the backend service use encryption on the
wire as well (although such a configuration is not used by this
patch). The client SSL support is only currently used for the new test
case.

This patch does not enable 'mutual' authentication, where clients
provide certificates to the server in order to authenticate
themselves. Impala has other authentication mechanisms for that purpose.

Change-Id: I3942aa0d21b34b7cda748292f04a9523f35ee6d4
Reviewed-on: http://gerrit.ent.cloudera.com:8080/514
Tested-by: jenkins
Reviewed-by: Henry Robinson <henry@cloudera.com>
This commit is contained in:
Henry Robinson
2013-09-21 17:51:58 -07:00
parent f3e4df14ac
commit b9bc9a9e89
15 changed files with 341 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bin/set-pythonpath.sh
View File

@@ -13,7 +13,7 @@
# limitations under the License.
# set the python path for test modules and beeswax
PYTHONPATH=$IMPALA_HOME:$IMPALA_HOME/shell/gen-py:$HIVE_HOME/lib/py
PYTHONPATH=$IMPALA_HOME:$IMPALA_HOME/shell/gen-py
# There should be just a single version of python that created the
# site-packages directory.
@@ -24,6 +24,9 @@ for PYTHON_DIR in ${THRIFT_HOME}/python/lib/python*/site-packages; do
PYTHONPATH=$PYTHONPATH:${PYTHON_DIR}/
done
# Add Hive after Thrift because Hive supplies its own Thrift modules
PYTHONPATH=$PYTHONPATH:$HIVE_HOME/lib/py
# Add all the built eggs to the python path
for EGG in ${IMPALA_HOME}/shell/ext-py/*/dist/*.egg; do
PYTHONPATH=${PYTHONPATH}:${EGG}