impala-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sailesh Mukil <sail...@cloudera.com>
Subject Re: Using JDBC with Impala, Kerberos and Sentry
Date Tue, 11 Jul 2017 06:01:58 GMT
Hi Russell,

Did you happen to look at the 'KrbAuthType' from Page 86 in the docs?
https://www.cloudera.com/documentation/other/connectors/impala-jdbc/latest/Cloudera-JDBC-Driver-for-Impala-Install-Guide.pdf

If you don't specify the KrbAuthType, it would look for the principal
in the following order (pasting from the doc):

1. First, the driver tries to obtain the Subject from the current
thread's inherited AccessControlContext. If the AccessControlContext
contains multiple Subjects, the driver uses the most recent Subject.

2. If the first method does not work, then the driver checks the
java.security.auth.login.config system property for a JAAS
configuration. If a JAAS configuration is specified, the driver uses
that information to create a LoginContext and then uses the Subject
associated with it.

3. If the second method does not work, then the driver checks the
KRB5_CONFIG and KRB5CCNAME system environment variables for a Kerberos
ticket cache. The driver uses the information from the cache to create
a LoginContext and then uses the Subject associated with it.


In the default case, when you don't have a JAAS conf file, I've
noticed that it picks the last kinit-ed user from the kerberos
credential cache (step 3) and uses that as the client principal (i.e.
the principal you're connecting as). Note that the 'KrbServiceName' is
the service principal name of the Impala server and not of the client.

Eg:

kinit foo
<Run JDBC app>

In the above case, 'foo' will be used as the client principal and will
be used against all the Sentry authorization checks.


On Wed, Jun 21, 2017 at 10:04 AM, Russell Harlin <rharlin@gmail.com> wrote:
>
> Hi,
>
> Based on the Impala documentation, it seems like it's required that JDBC connections
use the same Kerberos principal used to start the impalad daemon.  This seems to work fine
for me.  My questions is, though, if I also want to use Sentry authorization how does impala
distinguish users, since they're all using the same Kerberos principal?  Do we have to pass
in the desired user to the JDBC connection?  Does this mean that we have to enable AD as well
or can we use local users?
>
> Thanks,
>
> Russell

Mime
View raw message