Skip to content
  • Register

    • Oracle Analytics Cloud and Server Idea Lab

    Home Oracle Analytics Oracle Analytics Idea Labs Oracle Analytics Cloud and Server Idea Lab

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Log In
    Register

    Quick Links

    Categories

    Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

    Connection to impala using end user keytab

    Needs Votes
    253
    Views
    2
    Comments
    Rank 1 - Community Starter
    in Oracle Analytics Cloud and Server Idea Lab

    Description

    To create a connection from OAS Data Visualization component to a Kerberos secured Impala we have to use the setup described in:

    https://docs.oracle.com/en/middleware/bi/analytics-server/user-oas/connect-database.html#GUID-02B13877-7C6C-4310-B65D-1348EDA2619D

    This setup expects three files:

    • krb5conf
    • oac.keytab
    • service_details.json


    The problem is that the only way this will work is if:

    • service_details.json -> You have to setup the service_principal to be impala/<host>@&lt;REALM>. This is an Impala requirement.
    • oac.keytab -> You have to use the same one defined in service_details, which is the service keytab (impala/<host>@&lt;REALM>). This is imposed by OAS, not by Impala.

    But the keytab of "impala/<host>@&lt;REALM>":

    • Is a keytab of a superuser, equivalent to using the root user
    • Is a keytab managed by Cloudera product. Cloudera may invalidate it at any time (deploy a service, patch, etc)


    By using in oac.keytab the service keytab (impala/<host>@&lt;REALM>) in consequence we introduce two problems:

    • As this is a superuser keytab all the security rules implemented in Impala are useless. OAS has root access to Impala and can query any data or delete whatever they want.
    • As this keytab is managed by cloudera product, at some random point the keytab may be invalidated and break OAS. To diagnose this kind of issues is hard as Cloudera may hidenly recreate the keytab without administrators noticing.


    The proposal is to allow for the oac.keytab to be an end-user keytab and add a field in service_details.json to specify which end-user to use to connect to impala (which should be the same
    than the one in the oac.keytab file).

     


     

     

    Use Case and Business Need

    The actual implementation breaks all of the security rules built in Impala. OAS has "root" access to Impala making it difficult to use OAS with Impala if there is sensitive data in Impala.

    More details

    SR Confirming the limitation: SR 3-24530814231 : Impala integration with OAS

    I upload a video:

    • First it shows how a JDBC connection against Impala works when Kerberos is setup
    • After it displays OAS limitations at this level

    Original Idea Number: ca286b6d35

    Tagged:
    2
    Up
    2 votes

    Needs Votes · Last Updated

    Comments

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Log In
    Register