impala-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Brown (JIRA)" <>
Subject [jira] [Resolved] (IMPALA-5263) support CA bundles when running stress test against SSL'd Impala
Date Wed, 14 Jun 2017 16:23:00 GMT


Michael Brown resolved IMPALA-5263.
       Resolution: Fixed
    Fix Version/s:     (was: Product Backlog)
                   Impala 2.10.0

commit 428b5a1bfe5e8a533db95c98f8ffbc1f825cdcef
Author: Michael Brown <>
Date:   Sat Jun 10 16:35:00 2017 -0700

    IMPALA-5263: test infra: support CA bundles with secure clusters

    This patch adds the command line option --ca_cert to the common test
    infra CLI options for use alongside --use-ssl. This is useful when
    testing against a secured Impala cluster in which the SSL certs are
    self-signed. This will allow the SSL request to be validated. Using this
    option will also suppress noisy console warnings like:

      InsecureRequestWarning: Unverified HTTPS request is being made. Adding
      certificate verification is strongly advised. See:

    We also go further in this patch and use the warnings module to print
    these SSL-related warnings once and only once, instead of all over the
    place. In the case of the stress test, this greatly reduces the noise in
    the console log.

    - quick calls with and without --ca_cert to observe
      that connections still get made and the test runs smoothly. Some of
      this testing occurred without warning suppression, so that I could be
      sure the InsecureRequestWarnings were not occurring when using
      --ca_cert anymore.
    - ensured warnings are printed once, not multiple times

    Change-Id: Ifb9e466e4b7cde704cdc4cf98159c068c0a400a9
    Reviewed-by: David Knupp <>
    Tested-by: Impala Public Jenkins

> support CA bundles when running stress test against SSL'd Impala
> ----------------------------------------------------------------
>                 Key: IMPALA-5263
>                 URL:
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Infrastructure
>    Affects Versions: Impala 2.9.0
>            Reporter: Michael Brown
>            Assignee: Michael Brown
>             Fix For: Impala 2.10.0
> When running the stress test against an SSL'd Impala cluster, if the cluster has self-signed
certificates the KerberosClient and requests library we use to query the Impala Web interface
will fail. To get around that, I've set verify=False for the request Session. However, requests
seems to support a CA bundle. If we can find a way to automate grabbing this CA bundle, we
can try to remove verify=False here and use the bundle instead.

This message was sent by Atlassian JIRA

View raw message