mirror of
https://github.com/apache/impala.git
synced 2025-12-30 03:01:44 -05:00
389860bf0d
Change-Id: I710dd809e6a3f8dee89f4ed8997bba0c2aa2c783 Reviewed-on: http://gerrit.cloudera.org:8080/9983 Reviewed-by: Sailesh Mukil <sailesh@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
197 lines
7.1 KiB
XML
197 lines
7.1 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
|
|
<concept id="ssl">
|
|
|
|
<title id="tls">Configuring TLS/SSL for Impala</title>
|
|
|
|
<prolog>
|
|
<metadata>
|
|
<data name="Category" value="Impala"/>
|
|
<data name="Category" value="Security"/>
|
|
<data name="Category" value="SSL"/>
|
|
<data name="Category" value="Encryption"/>
|
|
<data name="Category" value="Configuring"/>
|
|
<data name="Category" value="Administrators"/>
|
|
</metadata>
|
|
</prolog>
|
|
|
|
<conbody>
|
|
|
|
<p>
|
|
<indexterm audience="hidden">SSL</indexterm>
|
|
Impala supports TLS/SSL network encryption, between Impala and client
|
|
programs, and between the Impala-related daemons running on different nodes
|
|
in the cluster. This feature is important when you also use other features such as Kerberos
|
|
authentication or Sentry authorization, where credentials are being
|
|
transmitted back and forth.
|
|
</p>
|
|
|
|
</conbody>
|
|
|
|
<concept id="concept_q1p_j2d_rp">
|
|
|
|
<title>Using the Command Line</title>
|
|
|
|
<conbody>
|
|
<p>
|
|
To enable SSL for when client applications connect to Impala, add both of the following flags to the <cmdname>impalad</cmdname> startup options:
|
|
</p>
|
|
|
|
<ul id="ul_i2p_m2d_rp">
|
|
<li>
|
|
<codeph>--ssl_server_certificate</codeph>: the full path to the server certificate, on the local filesystem.
|
|
</li>
|
|
|
|
<li>
|
|
<codeph>--ssl_private_key</codeph>: the full path to the server private key, on the local filesystem.
|
|
</li>
|
|
</ul>
|
|
|
|
<p rev="2.3.0">
|
|
In <keyword keyref="impala23_full"/> and higher, Impala can also use SSL for its own internal communication between the
|
|
<cmdname>impalad</cmdname>, <codeph>statestored</codeph>, and <codeph>catalogd</codeph> daemons.
|
|
To enable this additional SSL encryption, set the <codeph>--ssl_server_certificate</codeph>
|
|
and <codeph>--ssl_private_key</codeph> flags in the startup options for
|
|
<cmdname>impalad</cmdname>, <cmdname>catalogd</cmdname>, and <cmdname>statestored</cmdname>,
|
|
and also add the <codeph>--ssl_client_ca_certificate</codeph> flag for all three of those daemons.
|
|
</p>
|
|
|
|
<note conref="../shared/impala_common.xml#common/impala_kerberos_ssl_caveat"/>
|
|
|
|
<p>
|
|
If either of these flags are set, both must be set. In that case, Impala starts listening for Beeswax and HiveServer2 requests on
|
|
SSL-secured ports only. (The port numbers stay the same; see <xref href="impala_ports.xml#ports"/> for details.)
|
|
</p>
|
|
|
|
<p>
|
|
Since Impala uses passphrase-less certificates in PEM format, you can reuse a host's existing Java keystore
|
|
by using the <codeph>openssl</codeph> toolkit to convert it to the PEM format.
|
|
</p>
|
|
|
|
<section id="secref">
|
|
|
|
<title>Configuring TLS/SSL Communication for the Impala Shell</title>
|
|
|
|
<p>
|
|
With SSL enabled for Impala, use the following options when starting the
|
|
<cmdname>impala-shell</cmdname> interpreter:
|
|
</p>
|
|
|
|
<ul id="ul_kgp_m2d_rp">
|
|
<li>
|
|
<codeph>--ssl</codeph>: enables TLS/SSL for <cmdname>impala-shell</cmdname>.
|
|
</li>
|
|
|
|
<li>
|
|
<codeph>--ca_cert</codeph>: the local pathname pointing to the third-party CA certificate, or to a copy of the server
|
|
certificate for self-signed server certificates.
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
If <codeph>--ca_cert</codeph> is not set, <cmdname>impala-shell</cmdname> enables TLS/SSL, but does not validate the server
|
|
certificate. This is useful for connecting to a known-good Impala that is only running over TLS/SSL, when a copy of the
|
|
certificate is not available (such as when debugging customer installations).
|
|
</p>
|
|
|
|
</section>
|
|
|
|
</conbody>
|
|
|
|
</concept>
|
|
|
|
<concept id="ssl_jdbc_odbc">
|
|
<title>Using TLS/SSL with Business Intelligence Tools</title>
|
|
<conbody>
|
|
<p>
|
|
You can use Kerberos authentication, TLS/SSL encryption, or both to secure
|
|
connections from JDBC and ODBC applications to Impala.
|
|
See <xref href="impala_jdbc.xml#impala_jdbc"/> and <xref href="impala_odbc.xml#impala_odbc"/>
|
|
for details.
|
|
</p>
|
|
|
|
<p conref="../shared/impala_common.xml#common/hive_jdbc_ssl_kerberos_caveat"/>
|
|
</conbody>
|
|
</concept>
|
|
|
|
<concept id="tls_min_version" rev="2.10.0 IMPALA-5743">
|
|
|
|
<title>Specifying TLS/SSL Minimum Allowed Version and Ciphers</title>
|
|
|
|
<conbody>
|
|
|
|
<p>
|
|
Depending on your cluster configuration and the security practices in your
|
|
organization, you might need to restrict the allowed versions of TLS/SSL
|
|
used by Impala. Older TLS/SSL versions might have vulnerabilities or lack
|
|
certain features. In <keyword keyref="impala210_full"/>, you can use startup
|
|
options for the <cmdname>impalad</cmdname>, <cmdname>catalogd</cmdname>,
|
|
and <cmdname>statestored</cmdname> daemons to specify a minimum allowed
|
|
version of TLS/SSL.
|
|
</p>
|
|
|
|
<p>
|
|
Specify one of the following values for the <codeph>--ssl_minimum_version</codeph>
|
|
configuration setting:
|
|
</p>
|
|
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<codeph>tlsv1</codeph>: Allow any TLS version of 1.0 or higher.
|
|
This setting is the default when TLS/SSL is enabled.
|
|
</p>
|
|
</li>
|
|
<li>
|
|
<p>
|
|
<codeph>tlsv1.1</codeph>: Allow any TLS version of 1.1 or higher.
|
|
</p>
|
|
</li>
|
|
<li>
|
|
<p>
|
|
<codeph>tlsv1.2</codeph>: Allow any TLS version of 1.2 or higher.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Along with specifying the version, you can also specify the allowed set of TLS ciphers
|
|
by using the <codeph>--ssl_cipher_list</codeph> configuration setting. The argument to
|
|
this option is a list of keywords, separated by colons, commas, or spaces, and
|
|
optionally including other notation. For example:
|
|
</p>
|
|
|
|
<codeblock>
|
|
--ssl_cipher_list="RC4-SHA,RC4-MD5"
|
|
</codeblock>
|
|
|
|
<p>
|
|
By default, the cipher list is empty, and Impala uses the default cipher list for
|
|
the underlying platform. See the output of <cmdname>man ciphers</cmdname> for the full
|
|
set of keywords and notation allowed in the argument string.
|
|
</p>
|
|
|
|
</conbody>
|
|
|
|
</concept>
|
|
|
|
</concept>
|