Impala shell hangs when invoked for LDAP users

Question

I've installed a cluster with impala and sentry (CDH 5.2) on CentOS 6.5 using command line and have set up openLDAP (without TLS) as well. Both are operating without any issues independently.

To get the Hadoop cluster configured for openLDAP, I've created the required LDAP groups for all the hadoop services as well as have made required entries in core-site.xml and impala config file listing the LDAP uri etc as mentioned by the documentation.

When I invoke impala-shell for LDAP users using "impala-shell -l -u test1" where test1 is a valid openLDAP user, it asks for password, which I supply. The problem is that once this is done - it just hangs. There is absolutely no response at all from impala-shell and neither impala logs nor LDAP logs reacord any activity. I also tried capturing tcpdump on port 389 (where ldap runs), but it seems there is no communication there from Impala as there are no packets exchanged at all. In contrast, it works perfectly when invoked without the "-l" directive for normal centOS users. Below is the impala config file:

**IMPALA_CATALOG_SERVICE_HOST=master.server.com
IMPALA_STATE_STORE_HOST=master.server.com
IMPALA_STATE_STORE_PORT=24000
IMPALA_BACKEND_PORT=22000
IMPALA_LOG_DIR=/var/log/impala
IMPALA_CATALOG_ARGS="  -log_dir=${IMPALA_LOG_DIR} -        sentry_config=/etc/hive/conf/sentry-site.xml  "**
IMPALA_STATE_STORE_ARGS=" -log_dir=${IMPALA_LOG_DIR} -state_store_port=${IMPALA_STATE_STORE_PORT}"
IMPALA_SERVER_ARGS="
    -server_name = master.server.com \
    -sentry_config=/etc/hive/conf/sentry-site.xml \
    -authorization_policy_provider_class = org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider \
    -authorization_policy_file = /user/hive/warehouse/impala-policy.ini \
    -ldap_uri=ldap://slave.server.com:389 \
    --enable_ldap_auth=true \
    -log_dir=${IMPALA_LOG_DIR} \
    -catalog_service_host=${IMPALA_CATALOG_SERVICE_HOST} \
    -state_store_port=${IMPALA_STATE_STORE_PORT} \
    -use_statestore \
    -state_store_host=${IMPALA_STATE_STORE_HOST} \
    -be_port=${IMPALA_BACKEND_PORT}"
ENABLE_CORE_DUMPS=false
# LIBHDFS_OPTS=-Djava.library.path=/usr/lib/impala/lib
# MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
# IMPALA_BIN=/usr/lib/impala/sbin
# IMPALA_HOME=/usr/lib/impala
# HIVE_HOME=/usr/lib/hive
# HBASE_HOME=/usr/lib/hbase
# IMPALA_CONF_DIR=/etc/impala/conf
# HADOOP_CONF_DIR=/etc/impala/conf
# HIVE_CONF_DIR=/etc/impala/conf
# HBASE_CONF_DIR=/etc/impala/conf

Kindly help me solve this problem if you've experienced this. Thanks in advance.

Answer 1

I found the root cause. The reason was that impala daemon was not picking up ldap details from the impala config file (typically at /etc/default/impala). I don't know what solved it, but just reinstalling the Impala made it to pick up the details as required. Once that was done, next challenge was setting up the openLDAP groups in the way Impala expects, i.e., the DN should contain uid and not cn and rest, using ldap_listDN parameter, provided the complete DN which was getting registered in LDAP logs. It was a really silly issue which made me learn openLDAP in detail.