Enable Kerberos Delegation for Hive/Impala

Version 7

    Disclaimer: This topic includes information about a third-party product. Please note that while we make every effort to keep references to third-party content accurate, the information we provide here might change without notice as Hive/Impala changes. For the most up-to-date information, please consult Hive/Impala documentation and support.

    Starting with Tableau Server 10, Tableau Server supports Kerberos delegation to Hive/Impala data sources.

    This topic describes how to configure two different authentication approaches with Kerberos between Tableau Server and Hive/Impala.

    These are different options. Both are not required. You can use either one.

    • Constrained Delegation/Viewer Credentials
    • Database Impersonation using Delegation UID *


    * If you are using Knox gateway then DelegationUID currently isn't available, because Knox doesn't support it. This could change. For the final word consult your vendor documentation.


    1. Viewer Credentials/Kerberos Delegation

    First you must configure Tableau Server for Delegation. See Enable Kerberos Delegation for Windows, or Enable Kerberos Delegation for Linux.

    Verify that the Hive/Impala driver is installed on Tableau Server.

    Enabling constrained delegation for Kerberos to Hive/Impala requires you to specify the Tableau Server Run As User for delegation, and add the Hive/Impala services account for delegation in Active Directory. You need to be a domain administrator for your Active Directory domain to do these steps. After configuring Tableau Server for Kerberos, do the following:

    Specify the Run As User account for delegation

    1. On the Active Directory domain controller, start the Active Directory Users and Computers (ADUC) tool.
    2. In the left pane (Active Directory Domain Services), click Users.
    3. In the Users pane, right-click the name of the Run As User who will be doing the delegation and then click Properties .
    4. In the Properties dialog box, in the left pane, select Delegation.
    5. In the Delegation section, select Trust this user for delegation to specified services only.
    6. Select Use any authentication protocol.

    Add Hive/Impala service accounts for delegation

    1. To specify the services to be delegated, click Add.
    2. In the Add Services dialog box, click Add Users or Computers.
    3. In the text field, type the name of the Hive/Impala service account and then click Check Names. The account should be found.
    4. Click OK.The SPN (Service Principal Name) list is populated.
    5. Select the SPNs registered for the Hive/Impala services you want to delegate to.The SPNs should now appear in the SPN list in the delegation section of the properties window for the user.
    6. Click OK.

    When this configuration is complete and Tableau Server users publish workbooks or data sources to the server specifying Viewer Credentials, delegation is done to make the connection to the Hive/Impala data source.

    2. Database Impersonation

    Database impersonation for Kerberos to Hive/Impala requires you to configure your Hadoop distribution for delegation using the DelegationUID connection parameter.

    Before you begin verify that your Tableau Server Run As User account is properly configured:

      • The  account must be a network account and configured to log into Hive/Impala using Kerberos.
      • The account must be granted read access to the Hive/Impala to read queried data.

    You should also verify that the Hive/Impala driver that is installed on Tableau Server supports the delegationUID parameter.

    Publish using database impersonation

    You can publish using database impersonation with one of two methods:

    • Embedded credentials—If you do not have a Kerberized cluster, or you have an LDAP frontend, you can embed the credentials for the impersonating user when publishing. The user you connect as when you publish must be configured with the ability to delegate for other users.
    • Impersonate with server run as—If you have a Kerberized cluster, you can connect with this option. In this case we will connect as the Tableau Server service user using Kerberos to the backend. The impersonating user, in this case Tableau Server, must be configured with the ability to delegate for other users.

    You can validate that database impersonation is configured using the driver manager: