We are facing issues while enabling SSO in Tableau for Impala.
We have tried below options:
Option 1: Connecting Tableau with Run-as user credential from Desktop in username-password authentication mode and publishing workbook by viewer credential mode
With this option we were able to successfully have the delegation working, but the limitation is that we need to share the Tableau Run_As user details with all the publisher and it is a risk to share those details with them because Run-As user has all the admin privileges. Attached document that lists the various steps that were followed for this option.
As a workaround tried creating a group and tried providing delegation right to that group, but this did not went through as there is no option present to provide delegation rights to a normal user or group.
Option 2: Connecting Tableau desktop with Kerberos authentication Mode and publishing workbook by viewer credential mode
With this option we are able to connect to Impala from desktop, but when published on server we are getting the below error when accessing the report on the server. This seems to be a more safe option as no credentials of run-as user are required to be shared with the publishers. Can someone help resolve this issue or provide pointers for this.
Option 3: Use Impala ODBC connection in Tableau
When using this option the delegation UID is not getting overwritten by the user who is loggin onto the server. I read in the MSTR documents that we need to set the additional property as delegationUID=?Delegated_mstr_uid for this to work. Do we have such a parameter in tableau where we can overwrite the delgation UID in tableau also. Have tried delegationUID=USERNAME(), etc. but it did not worked.
Here both Tableau and Impala are Kerberos enabled and Sentry has been enabled at Cloudera end. We have validated that SSO is working fine for HUE and also validated that Kerberos has been successfully enabled at Tableau end.
Sharing the references that we have gone through:
Thanks and Regards,