Using Kerberos

Kerberos must be installed and configured before you can use this authentication mechanism. For more information, refer to the MIT Kerberos Documentation: http://web.mit.edu/kerberos/krb5-latest/doc/.

To configure Kerberos authentication:

  1. Set the AuthMech connection attribute to Kerberos.
  2. Choose one:
    • To use the default realm defined in your Kerberos setup, do not set the KrbRealm attribute.
    • Or, if your Kerberos setup does not define a default realm or if the realm of your Impala server is not the default, then set the appropriate realm using the KrbRealm attribute.
  3. Optionally, if you are using MIT Kerberos and a Kerberos realm is specified using the KrbRealm connection attribute, then choose one:
    • To have the Kerberos layer canonicalize the server's service principal name, leave the ServicePrincipalCanonicalization attribute set to 1.
    • Or, to prevent the Kerberos layer from canonicalizing the server's service principal name, set the ServicePrincipalCanonicalization attribute to 0.
  4. Set the KrbFQDN attribute to the fully qualified domain name of the Impala server host.

    5. Note:

    To use the Impala server host name as the fully qualified domain name for Kerberos authentication, set KrbFQDN to _HOST.

  5. Set the KrbServiceName attribute to the service name of the Impala server.
  6. Optionally, set the TSaslTransportBufSize attribute to the number of bytes to reserve in memory for buffering unencrypted data from the network.

    7. Note:

    In most circumstances, the default value of 1000 bytes is optimal.

Related topics