Authenticating an Impala JDBC Connection in a Kerberized environment

Question

When trying to launch a Java Action within Oozie (CDH6.3.1) I get a GSS initiate failed. The code in question is pretty straight forward:

        String impalaUrl = "jdbc:impala://pxyserver.global.ad:21050/default;SSL=1;AuthMech=1;KrbRealm=GLOBAL.AD;KrbHostFQDN=pxyserver.global.ad;KrbServiceName=Impala;sslTrustStore=/opt/cloudera/security/jks/truststore.jks;trustStorePassword=password";
        Properties impalaProperties = new Properties();
        impalaProperties.put("user", "svcaccount");
        impalaProperties.put("password", "svcpassword");
        impalaProperties.put("Driver", "com.cloudera.impala.jdbc41.Driver");

        try {
            setConnection(DriverManager.getConnection(impalaUrl , impalaProperties));
        } catch (SQLException e) {
            e.printStackTrace();
        }

Running this gives the following stack trace:

java.sql.SQLException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
    at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
    at com.cloudera.impala.hivecommon.api.ServiceDiscoveryFactory.createClient(Unknown Source)
    at com.cloudera.impala.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
    at com.cloudera.impala.impala.core.ImpalaJDBCDSIConnection.establishConnection(Unknown Source)
    at com.cloudera.impala.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
    at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
    at com.cloudera.impala.jdbc.common.AbstractDriver.connect(Unknown Source)
    at java.sql.DriverManager.getConnection(DriverManager.java:664)
    at java.sql.DriverManager.getConnection(DriverManager.java:208)

I can fix this by kiniting with a keytab. However in our production environment Oozie runs this on one of many worker nodes and they do not have valid kerberos tickets. What are my options here? If possible I'd rather not kinit every day on each of our 40 worker nodes, is there a parameter I am missing here?

Thanks

You can `kinit` in Oozie workflow, via a shell action that will also kick-off your Java app for example. — mazaneicha, Mar 03 '20 at 23:29
Duplicate of https://stackoverflow.com/questions/43938580/submit-oozie-job-from-another-jobs-java-action-with-kerberos — Samson Scharfrichter, Mar 05 '20 at 08:21
First, you clearly don't understand how Kerberos works -- user/password params are ignored, either the JDBC driver can access an existing "ticket-granting-ticket" (proof of identity) then obtain a "service ticket" to gain access; or it triggers JAAS rules to create the TGT first. — Samson Scharfrichter, Mar 05 '20 at 08:29
Ideally the `hive2` Oozie action would work with Impala because it uses the same exact wire protocol as Hiveserver2 -- but alas, Impala does not support the Hadoop "delegation tokens" to make it easier to use Kerberos on a distributed system _(Kerberos is point-to-point only because, well, that was sufficient in the 1980's)_ — Samson Scharfrichter, Mar 05 '20 at 08:32
Recommended readings: https://stackoverflow.com/questions/42477466/error-when-connect-to-impala-with-jdbc-under-kerberos-authrication >> https://stackoverflow.com/questions/35459726/load-a-keytab-from-hdfs >> https://stackoverflow.com/questions/46374464/java-jdbc-hive-client-does-not-fulfill-request-but-does-not-experience-error-ei — Samson Scharfrichter, Mar 05 '20 at 08:44

Authenticating an Impala JDBC Connection in a Kerberized environment

0 Answers0