LDAP authentication in Impala

Sergei Tikhomirov
Contents

Impala allows you to authenticate in impala-shell via LDAP for the Impala Daemon (impalad) connection.

Enable LDAP

To enable LDAP authentication, follow the steps below:

  1. On the Clusters page, select your ADH cluster and proceed to the Services tab in the cluster menu.

  2. Select the Impala service and activate the Enable LDAP parameter group.

  3. Fill in the LDAP parameters for Active Directory or FreeIPA and restart Impala.

    IMPORTANT
    The ldap_baseDN, ldap_domain, and ldap_bind_pattern parameters are mutually exclusive.

  • Active Directory

  • FreeIPA

LDAP Active Directory configuration
LDAP AD configuration
LDAP FreeIPA configuration
LDAP FreeIPA configuration

Check

Impala-shell requires a configuration file or runtime arguments like username and password. For convenience, you can add the user and ldap_password_cmd parameters to the configuration file:

[impala]
use_ldap=true
auth_creds_ok_in_clear=true
user=<username>
ldap_password_cmd=<pwd_print_command>

where:

  • <username> is a short username;

  • <pwd_print_command> is a command which prints a password. For example, if you want to store the password in the impalarc file, use ldap_password_cmd=echo -n myPassword. Alternatively, if you store (or plan to store) the password in a file, use the ldap_password_cmd=cat /etc/impala/conf/user-pass.pwd template with any file extension.

Instead of dealing with it manually, you can set the configuration files right in ADCM:

  1. In the Impala service menu, navigate to the Components tab and click Impala Client.

  2. Edit the impala-shell-env.sh and impalarc files. The former is responsible for setting the system variables, while the latter contains the configuration.

NOTE
By default, the bundle doesn’t save the user password declared in impalarc, so it’s up to you whether to store a user password and where to store it. The bundle only saves the admin password for LDAP searches and authentication in a file.

To apply the LDAP settings from a config file, use the command below:

$ impala-shell --config_file=<path_to_config_file>

The config file setting is not necessary as, by default, the file defined in impala-shell-env.sh is used. If you want to use a config from a custom location, edit the impala-shell-env.sh parameter in ADCM by overwriting the IMPALA_SHELL_GLOBAL_CONFIG_FILE variable with the path to your custom config. To read about using impala-shell with custom configuration, see the Use impala-shell to connect to Impala article.

Found a mistake? Seleсt text and press Ctrl+Enter to report it