[RETIRED] Configuring Looker to connect to Impala with Kerberos authentication


(Todd Nemet) #1

The content of this article has been updated and moved to Looker’s technical documentation here.

Notes on configuring Kerberos with delegation on Impala
Configuring Delegation on Impala using User Attributes
(Mike DeAngelo (a.k.a. Dr. StrangeLooker)) #2

Depending how Kerberos is set up, it may default to authentication algorithms that are not supported by Java. I have found that arcfour-hmac/rc4-hmac seems to work reliably, and aes(256|128)-cts* does not work reliably. In the debugging messages you’ll see things like “unsupported keytype (18)” in the error output.

You may want to add the following to you krb5.conf file to use appropriate algorithms…

  default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

Keep in mind that you can override the system krb5.conf by setting the environment variable KRB5_CONFIG to point to the local copy, and also point to the local copy using -Djava.security.krb5.conf=… in the JAVAARGS.

After changing the settings, use kdestroy to destroy the old ticket and get a new ticket with kinit, then test again.

(Mike DeAngelo (a.k.a. Dr. StrangeLooker)) #3

There is more information about encryption types here… http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.2/doc/krb5-admin/Supported-Encryption-Types.html

Note the info at the bottom of the page: “Sites wishing to use AES encryption types on their KDCs need to be careful not to give GSSAPI services AES keys…” The Java Virtual Machine interfaces with Kerberos through the GSSAPI. The JAAS-GSS subsystem is the java interface to the GSSAPI. The AES encryption types should be disabled when using Java, particularly Java 7.

(kenneth.vinson) #4

I retired this article. The content can be found in Looker’s documentation here.