Categories
Connection to impala using end user keytab

Description
To create a connection from OAS Data Visualization component to a Kerberos secured Impala we have to use the setup described in:
https://docs.oracle.com/en/middleware/bi/analytics-server/user-oas/connect-database.html#GUID-02B13877-7C6C-4310-B65D-1348EDA2619D
This setup expects three files:
- krb5conf
- oac.keytab
- service_details.json
The problem is that the only way this will work is if:
- service_details.json -> You have to setup the service_principal to be impala/<host>@<REALM>. This is an Impala requirement.
- oac.keytab -> You have to use the same one defined in service_details, which is the service keytab (impala/<host>@<REALM>). This is imposed by OAS, not by Impala.
But the keytab of "impala/<host>@<REALM>":
- Is a keytab of a superuser, equivalent to using the root user
- Is a keytab managed by Cloudera product. Cloudera may invalidate it at any time (deploy a service, patch, etc)
By using in oac.keytab the service keytab (impala/<host>@<REALM>) in consequence we introduce two problems:
- As this is a superuser keytab all the security rules implemented in Impala are useless. OAS has root access to Impala and can query any data or delete whatever they want.
- As this keytab is managed by cloudera product, at some random point the keytab may be invalidated and break OAS. To diagnose this kind of issues is hard as Cloudera may hidenly recreate the keytab without administrators noticing.
The proposal is to allow for the oac.keytab to be an end-user keytab and add a field in service_details.json to specify which end-user to use to connect to impala (which should be the same
than the one in the oac.keytab file).
Use Case and Business Need
The actual implementation breaks all of the security rules built in Impala. OAS has "root" access to Impala making it difficult to use OAS with Impala if there is sensitive data in Impala.
More details
SR Confirming the limitation: SR 3-24530814231 : Impala integration with OAS
I upload a video:
- First it shows how a JDBC connection against Impala works when Kerberos is setup
- After it displays OAS limitations at this level
Original Idea Number: ca286b6d35
Comments
-
Have same security issue - right suggestion to improve.
Did somebody manage to establish basic user connection to Impala?
0 -
@Adam Bloom-Oracle Can you review above?
0