Cannot connect to Kerberos-enabled Cloudera Impala

Hello

We are trying to connect to an Impala instance on a Cloudera 5.14 cluster secured by kerberos MIT using KNIME AP 4.0, but we have not been successful so far.
We first setup the Kerberos Configuration in Preferences. “Validate” and “Log in” work as expected.

We have tried setting up 4 Connectors as follows:
1. Using the built-in JDBC Impala driver, with JDBC Parameters
kerberosAuthType=fromSubject
principal=impala/<hostname>@<REALM>
ssl=false

The error message when trying to Execute the Connector is:

ERROR Impala Connector 0:1 Execute failed: Could not open client transport with JDBC Uri: jdbc:hive2://***:21050/***;ssl=false;kerberosAuthType=fromSubject;principal=impala/***@***: null

2. Same setup as above, using the built-in JDBC Impala driver but with SSL enabled, with JDBC Parameters:
kerberosAuthType=fromSubject
principal=impala/<hostname>@<REALM>
ssl=true

The error message when trying to Execute the Connector is:

ERROR Impala Connector 0:1 Execute failed: Could not open client transport with JDBC Uri: jdbc:hive2://***:21050/***;ssl=true;kerberosAuthType=fromSubject;principal=impala/***@***: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The Impala node is using a self-signed certificate which has been imported to the Java keystore via the Java Control Panel on Windows 10.

3. Using the Impala JDBC driver from Cloudera, v2.6, with JDBC parameters:
AuthMech=1
KrbHostFQDN=<hostname>
KrbRealm=<realm>
KrbServiceName=impala

Again, we cannot get a connection, with the error:
ERROR Impala Connector 0:1 Execute failed: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: [Cloudera][ImpalaJDBCDriver](500591) Kerberos Authentication failed..

4. Using the Impala JDBC driver v2.5, with JDBC Parameters as above:
AuthMech=1
KrbHostFQDN=<hostname>
KrbRealm=<realm>
KrbServiceName=impala

Connecting fails with the error:
ERROR Impala Connector 0:8 Execute failed: [Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain password from user

We can connect in other apps, with ODBC drivers, without problems.

What is the recommended way of connecting to such a setup?

Hi @nasospat

welcome to the KNIME community!

Concerning your issues: I am assuming that your Impala is setup in such a way that it expects clients to use SSL. This means that 1., 3. and 4. cannot work, because they are not connecting with SSL.

The Impala node is using a self-signed certificate which has been imported to the Java keystore via the Java Control Panel on Windows 10.

KNIME includes its own Java Runtime environment (it was Oracle Java last time I checked). The Java Control Panel on Windows 10 has no effect on the Java Runtime which is included in KNIME.

There are two solutions to this:

  1. Make a new truststore file (= Java Keystore in JKS format) that contains Impala’s self signed certificate and mark it as trusted. Then tell the JDBC driver about it:
    • The builtin driver needs the ssl, sslTrustStore, sslTrustStorePassword parameters (see [1])
    • The Cloudera driver needs the SSL, SSLTrustStore and SSLTrustStorePwd parameters (please consult the Installation and Configuration Guide PDF that comes with the driver, it contains all the details)
  2. Add the certificate to the global truststore that is part of the JRE that KNIME uses. You can find the truststore under <knime-installation-folder>/plugins/org.knime.binary.jre.<os>.x86_64_<version>/jre/lib/security/cacerts. Please note that you have to repeat this after updating KNIME (whenever we update our JRE).

[1] https://cwiki.apache.org/confluence/display/Hive/HiveServer2+Clients#HiveServer2Clients-ConnectionURLWhenSSLIsEnabledinHiveServer2

Björn

5 Likes

Hello Björn,

We followed your instructions and it worked. We are able to have successful connection.
Thank you for your help !!!

1 Like