Friday, May 17, 2019

C6.2 impala-shell requires python version > 2.7.9 to support TLS1.2

On CDH 6.2, if you try to lock down the TLS protocol used by Impala to TLS1.2 and disable the older versions (i.e. --ssl_minimum_version=tlsv1.2), it breaks impala-shell and it will fail to connect to Impala with this error:

Error connecting: TTransportException, Could not connect to localhost:21000: 
[Errno 8] _ssl.c:504: EOF occurred in violation of protocol

This is because impala-shell in C6.2 uses a newer version of Thrift which requires python 2.7.9 or higher to supprot TLS1.2. Since RHEL7.6 by default only comes with python 2.7.5, you have to either upgrade python or configure Impala to use TLS1.0.

This is documented in the following JIRAs:

https://issues.apache.org/jira/browse/IMPALA-6990
https://issues.apache.org/jira/browse/IMPALA-8407

"When impala-shell is used to connect to an impala cluster with --ssl_minimum_version=tlsv1.2, if the Python version being used is < 2.7.9 the connection will fail due to a limitation of TSSLSocket."
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)