Using Advanced Kerberos

This authentication mechanism allows concurrent connections within the same process to use different Kerberos user principals.

When you use Advanced Kerberos authentication, you do not need to run the kinit command to obtain a Kerberos ticket. Instead, you use a JSON file to map your Impala user name to a Kerberos user principal name and a keytab that contains the corresponding keys. The connector obtains Kerberos tickets based on the specified mapping. As a fallback, you can specify a keytab that the connector uses by default if the mapping file is not available or if no matching keytab can be found in the mapping file.

Note:

  • For information about the schema of the mapping file and how the connector handles invalid mappings, see UPN Keytab Mapping File.
  • For information about how the connector searches for a keytab file if the keytab mapping and default keytab file are invalid, see Default Keytab File.

To configure Advanced Kerberos authentication:

  1. Set the AuthMech connection attribute to Kerberos.
  2. Choose one:
    • To use the default realm defined in your Kerberos setup, do not set the KrbRealm attribute.
    • Or, if your Kerberos setup does not define a default realm or if the realm of your Impala server is not the default, then set the appropriate realm using the KrbRealm attribute.
  3. Optionally, if you are using MIT Kerberos and a Kerberos realm is specified using the KrbRealm connection attribute, then choose one:
    • To have the Kerberos layer canonicalize the server's service principal name, leave the ServicePrincipalCanonicalization attribute set to 1.
    • Or, to prevent the Kerberos layer from canonicalizing the server's service principal name, set the ServicePrincipalCanonicalization attribute to 0.
  4. Set the KrbFQDN attribute to the fully qualified domain name of the Impala server host.

    5. Note:

    To use the Impala server host name as the fully qualified domain name for Kerberos authentication, set KrbFQDN to _HOST.

  5. Set the KrbServiceName attribute to the service name of the Impala server.
  6. Set the UseKeytab attribute to 1.
  7. Set the UID attribute to an appropriate user name for accessing the Impala server.
  8. Set the UPNKeytabMappingFile attribute to the full path to a JSON file that maps your Impala user name to a Kerberos user principal name and a keytab file.
  9. Set the DefaultKeytabFile attribute to the full path to a keytab file that the connector can use if the mapping file is not available or if no matching keytab can be found in the mapping file.
  10. If the Impala server is configured to use SSL, then configure SSL for the connection. For more information, see Configuring SSL Verification.
  11. Optionally, set the TSaslTransportBufSize attribute to the number of bytes to reserve in memory for buffering unencrypted data from the network.

    12. Note:

    In most circumstances, the default value of 1000 bytes is optimal.

Related topics