0

Trying to connect from host machine to CDH VBox Kerberos Enabled Impala. impala-shell -k command works perfectly but I can not connect via impyla:

Traceback (most recent call last):
  File "yarasa.py", line 2, in <module>
    conn = connect(host='127.0.0.1', port=21050, auth_mechanism='GSSAPI', kerberos_service_name='impala')
  File "/Library/Python/2.7/site-packages/impyla-0.13.6-py2.7.egg/impala/dbapi.py", line 147, in connect
    auth_mechanism=auth_mechanism)
  File "/Library/Python/2.7/site-packages/impyla-0.13.6-py2.7.egg/impala/hiveserver2.py", line 658, in connect
    transport.open()
  File "/Library/Python/2.7/site-packages/thrift_sasl/__init__.py", line 72, in open
    message=("Could not start SASL: %s" % self.sasl.getError()))
thrift.transport.TTransport.TTransportException: Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found)

These are principals:

principles

klist:

enter image description here

any idea?

ufukomer
  • 1,021
  • 1
  • 14
  • 16
  • 1
    1. you show the tickets available on the VM, not on the host. 2. Kerberos demands canonical DNS names -- no DNS alias, no IP. – Samson Scharfrichter Jun 18 '18 at 18:45
  • @SamsonScharfrichter I see now. Impyla works on VM. Do you know that is there any docker image which is ready to connect this Kerberos Enabled VM? Because anything about Kerberos does not work on my Mac so that I can't create ticket. Or maybe any other simple way except Docker? – ufukomer Jun 19 '18 at 05:09
  • Yes, you can create a Kerberos ticket on your Mac using the KDC on your VM. But that requires proper network / DNS config, and a lot of know-how. **This shit is about strong security, it's complicated**, not a toy... – Samson Scharfrichter Jun 19 '18 at 06:50

0 Answers0