2 Replies Latest reply on Aug 15, 2019 8:13 AM by Richard Thorne

    Tableau/Kerberos (HIVE) Data Source Authentication

    Kevin Doherty

      I am hoping to see if any experts on the forum can provide more insights into Kerberos Data Source Authentication (In this case to a HIVE Source).

       

      Current Hadoop Setup

      Our current Hadoop environment uses a Local Identity Store.

       

      Current Tableau Desktop/Server Setup for Hadoop Development

      Our current Tableau environment is 2018.2.5. Tableau Desktop users will utilize the local Hadoop account and Kerberos ticket to connect to HIVE (They select Kerberos Authentication within the HIVE connector for Tableau Desktop).

       

      On Tableau Server we are generating a ticket for a local Service Account that has been created within Hadoop's Identity Store. When Tableau Desktop users publish to the Server they select the Authentication option "Server Run As account" for their Data Source.

       

      Current Issue

      Per the document links below as well as through discussions with our Tableau Technical resources.. it seems our current setup is not supported. Plus our Hadoop Admins would like a little more insights in auditing who is connecting to HIVE and using just one Service Account limits that ability.

       

      Future Plan

      I have decided to engage our Active Directory and Hadoop resource to implement the steps outlined in the below two documents, however, I have questions around the Setup and the Desktop User's interaction with Tableau Server in such a setup (Publishing).

       

       

      Document #1 Link

      https://onlinehelp.tableau.com/current/server/en-us/kerberos_delegation.htm

       

      Document #1 Questions

      • In step #1.. is this referencing the Tableau Service Run-As Account or just an AD Account that will be setup for Delegation (Step #2)?
      • Maybe I am not understanding the description but it seems Step #1 references a different account than Step #2. Or can they be the same AD Account?

       

       

      Document #2 Link

      https://community.tableau.com/docs/DOC-11137

       

      Document #2 Questions for Viewer Credentials/Kerberos Delegation

      • The Run As User Account being referenced in this question is the same Account that was referenced in Step #2 of Document #1?
      • After this setup is complete on the Server and Active Directory.. what is the User Experience for a Desktop user? I assume they still continue using their local Kerberos ticket and account to connect to HIVE?

                * The last sentence mentions the Desktop user should specify Viewer Credentials, however, that is not an option when publishing a Workbook/Datasource for this user.. just "Server Run As account" and "Impersonate via Server Run as Account".

       

      Document #2 Questions for Database Impersonation

      Again trying to understand the User Experience for a Desktop user? I like the idea of "Embedded Credentials" noted in this section, however, again this is not an option when the user is Publishing the Workbook/Datasource so not sure if I am missing something?

       

       

      I apologize for the long-winded write-up but hoping to get some clarity around the steps outlined in these two documents. The first document states that MIT KDC is not supported but my assumption is that is for the Server setup as our Active Directory resource is open to creating a Service Account to utilize for Delegation. For Desktop users the assumption is they would still be connecting to HIVE using the local identity store and ticket assigned.

       

      Thanks in advance for any insights.