In Tableau Server versions 8.3 - 9.3, delegation for Impala uses global/managed credentials to initiate the connection from Tableau Server to Impala. Beginning in Tableau 10.0, end-to-end Kerberos has been added. The instructions in this article apply to Tableau versions 8.3 - 9.3.
The instructions for later versions of Tableau are here: https://community.tableau.com/docs/DOC-11137
People who view the published data source or workbook on Tableau Server get the Single Sign-On (SSO) with Kerberos experience. They can connect to Tableau Server using Kerberos, and their identity is delegated to Cloudera using the DelegationUID parameter. This form of delegation is fully supported by Cloudera and respects all HDFS/Sentry access control. End users never have to enter their credentials, assuming they have already acquired a Kerberos ticket.
The publisher of the data source, however, does not get SSO with Kerberos. Because the connection to Impala uses username/password authentication to initiate the connection on Tableau Server, the data source needs to be created with username/password authentication on Tableau Desktop. When publishing to Tableau Server, the publisher must select ‘Viewer Credentials’ as the authentication type. This enables delegation for that data source on Tableau Server.
When a Hadoop cluster is enabled in secure mode, Kerberos is the default authentication type. To enable users to log in with a user name and password, LDAP authentication should also be enabled. This way, users can log in with their Active Directory credentials to Impala.
To enable delegation for Cloudera Impala, you must do the following:
Configure LDAP authentication for Impala. For information, see Enabling LDAP Authentication for Impala.
Configure the proxy user by setting the ‘authorized_proxy_user_config’ value. This configuration is beyond the scope of Tableau documentation. For more information, see the following Cloudera documentation:
Validate your Impala setup independent of Tableau Server.
Configure Kerberos in Tableau Server to provide SSO. For more information, see Configure Kerberos in the Tableau Help.
Note: Kerberos must be enabled on Tableau Server, but connections to Impala databases do not use Kerberos.
Configure Tableau Server to do managed credentials delegation with the Cloudera Impala cluster.
To validate Impala configuration
The Impala configuration can be validated independently of Tableau using the driver manager, as shown here:
First, validate that the proxy user can log in using their password.
Next, validate that the proxy user can delegate the end user.
If both of these tests pass, proceed to configuring Tableau Server.
To configure Tableau Server
Note: You must be a local administrator on the Tableau Server computer to perform the following steps.
Stop Tableau Server.
Open a command prompt as local administrator and navigate to the Tableau Server bin directory. For example, enter the following command:
cd C:\Program Files\Tableau\Tableau Server\9.3\bin
At the command prompt, enter the following commands, in order:
tabadmin set wgserver.kerberos.dbclasses hadoophive tabadmin configure tabadmin start
- After Tableau Server has started, at the command prompt, type the following:
tabadmin manage_global_credentials --add --server <hadoop-server> --user <authorized-proxy-user-name> --password <authorized-proxy-user-password>
This writes to the database, so Tableau Server needs to be running before you use this command.
Note: There can only be one authorized proxy user per Impala server for any one Tableau Server installation.
To view the current credentials, type the following:
tabadmin manage_global_credentials --show
To remove existing credentials, type the following:
tabadmin manage_global_credentials --remove
Note: LDAP authentication for Impala does not require the user domain when authenticating; it uses only the short name. This can cause problems when users with the same short name occur in multiple domains.