mirror of
https://github.com/apache/impala.git
synced 2026-01-05 03:01:02 -05:00
8b417c6921
Change-Id: I07d56463939fe152c1c6124cc0ad5591337bad6b Reviewed-on: http://gerrit.cloudera.org:8080/6179 Reviewed-by: Ambreen Kazi <ambreen.kazi@cloudera.com> Tested-by: Impala Public Jenkins Reviewed-by: John Russell <jrussell@cloudera.com>
136 lines
5.1 KiB
XML
136 lines
5.1 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
|
|
<concept id="ssl">
|
|
|
|
<title id="tls">Configuring TLS/SSL for Impala</title>
|
|
|
|
<prolog>
|
|
<metadata>
|
|
<data name="Category" value="Impala"/>
|
|
<data name="Category" value="Security"/>
|
|
<data name="Category" value="SSL"/>
|
|
<data name="Category" value="Encryption"/>
|
|
<data name="Category" value="Configuring"/>
|
|
<data name="Category" value="Administrators"/>
|
|
</metadata>
|
|
</prolog>
|
|
|
|
<conbody>
|
|
|
|
<p>
|
|
<indexterm audience="hidden">SSL</indexterm>
|
|
Impala supports TLS/SSL network encryption, between Impala and client
|
|
programs, and between the Impala-related daemons running on different nodes
|
|
in the cluster. This feature is important when you also use other features such as Kerberos
|
|
authentication or Sentry authorization, where credentials are being
|
|
transmitted back and forth.
|
|
</p>
|
|
|
|
</conbody>
|
|
|
|
<concept id="concept_q1p_j2d_rp">
|
|
|
|
<title>Using the Command Line</title>
|
|
|
|
<conbody>
|
|
<p>
|
|
To enable SSL for when client applications connect to Impala, add both of the following flags to the <cmdname>impalad</cmdname> startup options:
|
|
</p>
|
|
|
|
<ul id="ul_i2p_m2d_rp">
|
|
<li>
|
|
<codeph>--ssl_server_certificate</codeph>: the full path to the server certificate, on the local filesystem.
|
|
</li>
|
|
|
|
<li>
|
|
<codeph>--ssl_private_key</codeph>: the full path to the server private key, on the local filesystem.
|
|
</li>
|
|
</ul>
|
|
|
|
<p rev="2.3.0">
|
|
In <keyword keyref="impala23_full"/> and higher, Impala can also use SSL for its own internal communication between the
|
|
<cmdname>impalad</cmdname>, <codeph>statestored</codeph>, and <codeph>catalogd</codeph> daemons.
|
|
To enable this additional SSL encryption, set the <codeph>--ssl_server_certificate</codeph>
|
|
and <codeph>--ssl_private_key</codeph> flags in the startup options for
|
|
<cmdname>impalad</cmdname>, <cmdname>catalogd</cmdname>, and <cmdname>statestored</cmdname>,
|
|
and also add the <codeph>--ssl_client_ca_certificate</codeph> flag for all three of those daemons.
|
|
</p>
|
|
|
|
<note conref="../shared/impala_common.xml#common/impala_kerberos_ssl_caveat"/>
|
|
|
|
<p>
|
|
If either of these flags are set, both must be set. In that case, Impala starts listening for Beeswax and HiveServer2 requests on
|
|
SSL-secured ports only. (The port numbers stay the same; see <xref href="impala_ports.xml#ports"/> for details.)
|
|
</p>
|
|
|
|
<p>
|
|
Since Impala uses passphrase-less certificates in PEM format, you can reuse a host's existing Java keystore
|
|
by using the <codeph>openssl</codeph> toolkit to convert it to the PEM format.
|
|
</p>
|
|
|
|
<section id="secref">
|
|
|
|
<title>Configuring TLS/SSL Communication for the Impala Shell</title>
|
|
|
|
<p>
|
|
With SSL enabled for Impala, use the following options when starting the
|
|
<cmdname>impala-shell</cmdname> interpreter:
|
|
</p>
|
|
|
|
<ul id="ul_kgp_m2d_rp">
|
|
<li>
|
|
<codeph>--ssl</codeph>: enables TLS/SSL for <cmdname>impala-shell</cmdname>.
|
|
</li>
|
|
|
|
<li>
|
|
<codeph>--ca_cert</codeph>: the local pathname pointing to the third-party CA certificate, or to a copy of the server
|
|
certificate for self-signed server certificates.
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
If <codeph>--ca_cert</codeph> is not set, <cmdname>impala-shell</cmdname> enables TLS/SSL, but does not validate the server
|
|
certificate. This is useful for connecting to a known-good Impala that is only running over TLS/SSL, when a copy of the
|
|
certificate is not available (such as when debugging customer installations).
|
|
</p>
|
|
|
|
</section>
|
|
|
|
</conbody>
|
|
|
|
</concept>
|
|
|
|
<concept id="ssl_jdbc_odbc">
|
|
<title>Using TLS/SSL with Business Intelligence Tools</title>
|
|
<conbody>
|
|
<p>
|
|
You can use Kerberos authentication, TLS/SSL encryption, or both to secure
|
|
connections from JDBC and ODBC applications to Impala.
|
|
See <xref href="impala_jdbc.xml#impala_jdbc"/> and <xref href="impala_odbc.xml#impala_odbc"/>
|
|
for details.
|
|
</p>
|
|
|
|
<p conref="../shared/impala_common.xml#common/hive_jdbc_ssl_kerberos_caveat"/>
|
|
</conbody>
|
|
</concept>
|
|
|
|
</concept>
|