Using Advanced Kerberos
The Advanced Kerberos authentication mechanism allows concurrent connections within the same process to use different Kerberos user principals.
This authentication mechanism is supported only when the connector is configured to handle Kerberos authentication using MIT Kerberos:
- MIT Kerberos must be installed on your machine.
- The Use Only SSPI option must be disabled. For more information, see Use Only SSPI.
When you use Advanced Kerberos authentication, you do not need to run the kinit command to obtain a Kerberos ticket. Instead, you use a JSON file to map your Impala user name to a Kerberos user principal name and a keytab that contains the corresponding keys. The connector obtains Kerberos tickets based on the specified mapping. As a fallback, you can specify a keytab that the connector uses by default if the mapping file is not available or if no matching keytab can be found in the mapping file.
Note:
- For information about the schema of the mapping file and how the connector handles invalid mappings, see UPN Keytab Mapping File.
- For information about how the connector searches for a keytab file if the keytab mapping and default keytab file are invalid, see Default Keytab File.
To configure Advanced Kerberos authentication:
- To access authentication options, open the ODBC Data Source Administrator where you created the DSN, then select the DSN, and then click Configure.
- In the Mechanism drop-down list, select Kerberos.
- Choose one:
- To use the default realm defined in your Kerberos setup, leave the Realm field empty.
- Or, if your Kerberos setup does not define a default realm or if the realm of your Impala server host is not the default, then, in the Realm field, type the Kerberos realm of the Impala server.
- In the Host FQDN field, type the fully qualified domain name of the Impala server host.
- In the Service Name field, type the service name of the Impala server.
- Optionally, if you are using MIT Kerberos and a Kerberos realm is specified in the Realm field, then choose one:
- To have the Kerberos layer canonicalize the server's service principal name, leave the Canonicalize Principal FQDN check box selected.
- Or, to prevent the Kerberos layer from canonicalizing the server's service principal name, clear the Canonicalize Principal FQDN check box.
- Select the Use Keytab check box.
- In the User Name field, type an appropriate user name for accessing the Impala server.
- Click Keytab Options and then do the following in the Keytab Options dialog box:
- In the UPN Keytab Mapping File field, specify the full path to a JSON file that maps your Impala user name to a Kerberos user principal name and a keytab file.
- In the Default Keytab File field, specify the full path to a keytab file that the connector can use if the mapping file is not available or if no matching keytab can be found in the mapping file.
- To save your settings and close the dialog box, click OK.
- If the Impala server is configured to use SSL, then click SSL Options to configure SSL for the connection. For more information, see Configuring SSL Verification.
- Optionally, in the Transport Buffer Size field, type the number of bytes to reserve in memory for buffering unencrypted data from the network.
- To save your settings and close the dialog box, click OK.
Note:
To use the Impala server host name as the fully qualified domain name for Kerberos authentication, in the Host FQDN field, type _HOST.
Note:
If the check box is not available, make sure that MIT Kerberos is installed on your machine.
Note:
In most circumstances, the default value of 1000 bytes is optimal.
- Configuring Kerberos Authentication for Windows
- Configuring Authentication
- Authentication Options
- Using No Authentication
- Using Kerberos
- Using SASL User Name
- Using User Name And Password
- Creating a Data Source Name
- Authentication Driver Configuration Options on page 1