Enabling Delegation for Cloudera Impala

Version 5

    In Tableau Server versions 8.3 - 9.3, delegation for Impala uses global/managed credentials to initiate the connection from Tableau Server to Impala. Beginning in Tableau 10.0, end-to-end Kerberos has been added. The instructions in this article apply to Tableau versions 8.3 - 9.3.


    The instructions for later versions of Tableau are here: https://community.tableau.com/docs/DOC-11137


    People who view the published data source or workbook on Tableau Server get the Single Sign-On (SSO) with Kerberos experience. They can connect to Tableau Server using Kerberos, and their identity is delegated to Cloudera using the DelegationUID parameter. This form of delegation is fully supported by Cloudera and respects all HDFS/Sentry access control. End users never have to enter their credentials, assuming they have already acquired a Kerberos ticket.


    The publisher of the data source, however, does not get SSO with Kerberos. Because the connection to Impala uses username/password authentication to initiate the connection on Tableau Server, the data source needs to be created with username/password authentication on Tableau Desktop. When publishing to Tableau Server, the publisher must select ‘Viewer Credentials’ as the authentication type. This enables delegation for that data source on Tableau Server.


    When a Hadoop cluster is enabled in secure mode, Kerberos is the default authentication type. To enable users to log in with a user name and password, LDAP authentication should also be enabled. This way, users can log in with their Active Directory credentials to Impala.


    To enable delegation for Cloudera Impala, you must do the following:


    Note: Kerberos must be enabled on Tableau Server, but connections to Impala databases do not use Kerberos.

    • Configure Tableau Server to do managed credentials delegation with the Cloudera Impala cluster.


    To validate Impala configuration

    The Impala configuration can be validated independently of Tableau using the driver manager, as shown here:


    • First, validate that the proxy user can log in using their password.

    • Next, validate that the proxy user can delegate the end user.

    • If both of these tests pass, proceed to configuring Tableau Server.


    To configure Tableau Server

    Note: You must be a local administrator on the Tableau Server computer to perform the following steps.


    1. Stop Tableau Server.

    2. Open a command prompt as local administrator and navigate to the Tableau Server bin directory. For example, enter the following command:

      cd C:\Program Files\Tableau\Tableau Server\9.3\bin

    3. At the command prompt, enter the following commands, in order:

      tabadmin set wgserver.kerberos.dbclasses hadoophive tabadmin configure tabadmin start

    4. After Tableau Server has started, at the command prompt, type the following:

      tabadmin manage_global_credentials --add --server <hadoop-server> --user <authorized-proxy-user-name> --password <authorized-proxy-user-password>

      This writes to the database, so Tableau Server needs to be running before you use this command.

    Note: There can only be one authorized proxy user per Impala server for any one Tableau Server installation.


    To view the current credentials, type the following:

    tabadmin manage_global_credentials --show


    To remove existing credentials, type the following:


    tabadmin manage_global_credentials --remove


    Note: LDAP authentication for Impala does not require the user domain when authenticating; it uses only the short name. This can cause problems when users with the same short name occur in multiple domains.