The ultimate Microsoft Fabric, Power BI, Azure AI, and SQL learning event: Join us in Stockholm, September 24-27, 2024.
Save €200 with code MSCUST on top of early bird pricing!
Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Dear team
I want to implement a PowerBI Service to access Cloudera Hive (CDP-PC Datahub) with Impersonation.
The definition of Impersonation:
User impersonation allows Power BI Service to execute queries in CDP on behalf of logged in users through a trusted service account.
My architecture:
Question:
On-premise Data Gateway is using AD, and its realm is REALM-A.COM, which is synchronizing from EntraID.
The CDP Hive is using FreeIPA, and its realm is REALM-B.COM. The freeIPA is synchronizing accounts from the same EntraID.
About the Kerberos principle, Which REALM should I use to connect from On-premise Data Gateway?
Our use case:
1) Developer develop a new report in PowerBI Desktop, using CDP Public Cloud Datahub (Cloudera Hive)
2) Developer publish the report to PowerBI Service, and share the record to a group.
using CDP Public Cloud Datahub (Cloudera Hive)
3) Users in the group can access the report with Impersonate.
I checked the MS documentation, and found this, I have already configed On-premise data gateway connect Cloudera Hive with Kerberos.
Also in this document,
It mentioned that "Support for Kerberos SSO for Hive LLAP in Power BI"
@v-xiandat-msft Thanks for your reply!
Our purpose is doing impersonation when using PowerBI Service to access Cloudera Hive.
Question:
When doing impersonation in On-premise Data Gateway, what Kerberos key will On-premise data gateway send to Cloudera Hive?
Details:
When we use hive@REALM-B.COM, we can get the right UPN according to the On-premise data gateway log.
The PowerBI Service user is "zzeng_admin01@zzengtestad.onmicrosoft.com" (to say, zzeng_admin01@REALM-A), and in On-premise gateway, it replaced it to "zzeng_admin01".
My expectation is, On-premise data gateway will create a new Kerberos ticket zzeng_admin01 (which is current PowerBI User UPN) and use it to access Cloudera Hive, but in fact On-premise data gateway used the fixed Kerberos ticket hive@REALM-B.COM.
Do you have any comments/advices on this?
Appreciate!
Hi @zzeng ,
To connect from your On-premise Data Gateway to Cloudera Hive using Kerberos, you should use the realm associated with the CDP Hive, which is REALM-B.COM. Therefore, the Kerberos principal should be hive@REALM-B.COM.
This is because the CDP Hive is using FreeIPA with the realm REALM-B.COM, and even though both realms are synchronizing accounts from the same EntraID, the authentication should align with the realm of the service you are connecting to.
Best Regards,
Xianda Tang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.
Check out the August 2024 Power BI update to learn about new features.
User | Count |
---|---|
54 | |
26 | |
14 | |
14 | |
12 |
User | Count |
---|---|
102 | |
37 | |
28 | |
22 | |
20 |