Impala 1.2.2 and higher support authentication against LDAP servers.
Only client->Impala connections can be authenticated by LDAP. Kerberos is the only authentication mechanism for connections between internal components, such as between the Impala, statestore, and catalog daemons.
To avoid sending credentials over the wire in cleartext, you must configure SSL between both the client and Impala, and between Impala and the LDAP server.
These requirements apply on the server side when configuring and starting Impala:
To enable LDAP authentication, set the following two startup options for impalad:
- --enable_ldap_auth enables LDAP-based authentication between the client and Impala.
- --ldap_uri sets the URI of the LDAP server to use. Typically, the URI should be prefixed with ldap://. The URI can optionally specify the port, for example: ldap://ldap_server.cloudera.com:389.
- If you need to provide a custom SASL configuration, set --ldap_manual_config to bypass all the automatic configuration.
For a secure connection using TLS, also set the following flag:
- --ldap_tls tells Impala to start a TLS connection to the LDAP server, and to fail authentication if it cannot be done.
To connect to Impala using LDAP authentication, you specify command-line options to the impala-shell command interpreter. -l enables LDAP authentication. -u sets the user, and impala-shell prompts for the password. Per Active Directory, the user is the short user name, not the full LDAP distinguished name. For the full list of available impala-shell options, see impala-shell Command-Line Options.
The LDAP support is preliminary. It currently has only been tested tested against Active Directory.