We know Tableau Desktop works with MIT Kerberos on Windows to connect to Cloudera Hive/Impala. But there is some confusing information in Tableau support sites whether Tableau SERVER can work with MIT Kerberos in an Windows environment. There is a note that Kerberos delegation requires Active Directory and MIT Kerberos is not supported. But let us try to connect with a Hive datasource using a Hive service account with proper Sentry permission in Hive/Impala to connect from Tableau Server running on Windows.
- Tableau Server V2019.x on Windows
- Cloudera CDH 5.16 Hive/Impala on Centos using MIT Kerberos on Linux
- MIT Kerberos client on Windows for Tableau desktop and server
The overall connection flow will be:
Windows Tableau Server data source -> use Windows MIT Kerberos ticket -> Cloudera Hive/Impala
- First create a testuser@SOMEKRBREALM principal userid in the MIT KDC in Cloudera Hadoop cluster. Create a keytab for the user and make sure you can kinit with the keytab.
- Give appropriate permissions in Sentry to the testuser to access Hive/Impala tables.
2. Next install MIT Client on the Windows Tableau Server box and make sure we can connect using the testuser@SOMEKRBREALM to MIT KDC running in the Cloudera Hadoop cluster. You may need to open ports 88/udp/tcp, 10000/tcp, 21050/tcp to the Hadoop cluster. See below instructions and note the KRB5CCNAME environment variable setup.
3. Create a Tableau workbook using a Cloudera Impala datasource on the Desktop and then publish the workbook with embedded datasource and use Server Run As Account in the Datasource while publishing workbook.
4. If luckly the workbook will publish to Tableau Server and able to connect automatically to Cloudera Impala using MIT kerberos ticket.
5. However if it gives error such as Unexpected Response received from server. Please ensure the server host and port are correct and confirm if SSL sould be enabled. This is a tough error to resolve and may need lot of googling.
6. Some of the troubleshooting steps will involve creating a Microsoft ODBC 64bit DSN using Cloudera Impala ODBC driver with kerberos credentials on all the Tableau servers cluster and check it can Test Successfully which means the firewall and other issues are not a problem.
7. Bottomline is it definitely is possible to make Tableau Server connect to Cloudera Hive/Impala using MIT Kerberos client on the Tableau Server. But it is not an easy connection to setup. Good Luck!