Your Kerberos environment should be fully configured before you configure the driver for Kerberos authentication. You should refer to your Impala and Java documentation for instructions on configuring Kerberos. For a Windows Active Directory implementation, you should also consult your Windows documentation. For a non-Active Directory implementation (on a Windows or non-Windows operating system), you should consult MIT Kerberos documentation.

Important: A properly configured Kerberos environment must include a means of obtaining a Kerberos Ticket Granting Ticket (TGT). For a Windows Active Directory implementation, Active Directory automatically obtains the TGT. However, for a non-Active Directory implementation, the means of obtaining the TGT must be automated or handled manually.

Once your Kerberos environment has been configured, take the following steps to configure the driver.

  1. Use one of the following methods to integrate the JAAS configuration file into your Kerberos environment. (See "The JAAS Login Configuration File" for details.)
    Note: The install_dir/lib/JDBCDriverLogin.conf file is the JAAS login configuration file installed with the driver. You can use this file or another file as your JAAS login configuration file.
    Note: Regardless of operating system, forward slashes must be used when designating the path of the JAAS login configuration file.
    • Specify a login configuration file directly in your application with the java.security.auth.login.config system property. For example:
      System.setProperty("java.security.auth.login.config","install_dir/lib/JDBCDriverLogin.conf");
    • Set up a default configuration. Modify the Java security properties file to indicate the URL of the login configuration file with the login.config.url.n property where n is an integer connoting separate, consecutive login configuration files. When more than one login configuration file is specified, then the files are read and concatenated into a single configuration.
    1. Open the Java security properties file. The security properties file is the java.security file in the /jre/lib/security directory of your Java installation.
    2. Find the line # Default login configuration file in the security properties file.
    3. Below the # Default login configuration file line, add the URL of the login configuration file as the value for a login.config.url.n property. For example: 
      # Default login configuration file
login.config.url.1=file:${user.home}/.java.login.config
login.config.url.2=file:install_dir/lib/JDBCDriverLogin.conf
  2. Ensure your JAAS login configuration file includes an entry with authentication technology that the driver can use to establish a Kerberos connection. (See "The JAAS login configuration file" for details.)
    Note: The JAAS login configuration file installed with the driver (install_dir/lib/JDBCDriverLogin.conf) includes a default entry with the name JDBC_DRIVER_01. This entry specifies the Kerberos authentication technology used with an Oracle JVM.

    The following examples show that the authentication technology used in a Kerberos environment depends on your JVM.

    Oracle JVM

    JDBC_DRIVER_01 {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

    IBM JVM

    JDBC_DRIVER_01 {
  com.ibm.security.auth.module.Krb5LoginModule required useDefaultCcache=true;
};
    Note: The driver uses its default configuration for Kerberos authentication, if:
    • A login configuration file is not specified using the java.security.auth.login.config system property.
    • The login configuration file specified using the java.security.auth.login.config system property does not include a JDBC_DRIVER_01 entry.
    • The entry specified using the LoginConfigName connection property does not exist in the login configuration file specified using the java.security.auth.login.config system property.
  3. Set the driver's AuthenticationMethod connection property to kerberos. (See "AuthenticationMethod" for details.)
  4. Set the ServicePrincipalName property to specify the case-sensitive service principal name to be used for Kerberos authentication.
    Note: The service principal name is the value of the impala.server2.authentication.kerberos.principal property in the impala-site.xml file.
    The ServicePrincipalName takes the following form.
    Service_Name/Fully_Qualified_Domain_Name@REALM_NAME

    The value of the ServicePrincipalName property can include the Kerberos realm name, but it is optional. If you do not specify the realm name, the default realm is used. For example, if the service principal name, including Kerberos realm name, is server/Impala125ase1@XYZ.COM and the default realm is XYZ.COM, valid values for this property are:

    server/Impala125ase1@XYZ.COM

    and

    server/Impala125ase1

    See "ServicePrincipalName" for details on the composition of the service principal name.

  5. Set the LoginConfigName connection property if the name of the JAAS login configuration file entry is different from the driver default JDBC_DRIVER_01. (See "The JAAS Login Configuration File" and "LoginConfigName" for details.)
    JDBC_DRIVER_01 is the default entry name for the JAAS login configuration file (JDBCDriverLogin.conf) installed with the driver. When configuring your Kerberos environment, your network or system administrator may have used a different entry name. Check with your administrator to verify the correct entry name.
  6. Set the User connection property as appropriate. (See "User" for details.)

    In most circumstances, there is no need to set the User connection property. By default, the driver uses the user principal name in the Kerberos Ticket Granting Ticket (TGT) as the value for the User property.

  7. Optionally, if impersonation is enabled on the server, set ImpersonateUser property to provide your UserID used for impersonation.
  8. Set the DatabaseName connection property as appropriate. (See "DatabaseName" for details.)
For example, the following is a connection URL with the required and optional properties for making a connection using Kerberos authentication.

Connection URL: 

Connection conn = DriverManager.getConnection
("jdbc:datadirect:impala://myserver:21050;AuthenticationMethod=kerberos;
  DatabaseName=ImpalaDB;ImpersonateUser=user2;
  ServicePrincipalName=impala/myserver@EXAMPLE.COM;");

Data Source:

ImpalaDataSource mds = new ImpalaDataSource();
mds.setDescription("My Impala Data Source");
mds.setServerName("server_name");
mds.setPort("port");
mds.setAuthenticationMethod("kerberos");
mds.setDatabaseName("testDB");
mds.setImpersonateUser("user2");
mds.setServicePrincipleName("impala/myserver@EXAMPLE.COM");