Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
zzeng
Frequent Visitor

PowerBI Service - Data Gateway - Cloudera Hive (CDP-PC Datahub) with Impersonation

Dear team

 

I want to implement a PowerBI Service to access Cloudera Hive (CDP-PC Datahub) with Impersonation.

 

The definition of Impersonation:

User impersonation allows Power BI Service to execute queries in CDP on behalf of logged in users through a trusted service account.

 

My architecture:

zzeng_0-1721701395256.png

 

 

Question:

On-premise Data Gateway is using AD, and its realm is REALM-A.COM, which is synchronizing from EntraID.

The CDP Hive is using FreeIPA, and its realm is REALM-B.COM. The freeIPA is synchronizing accounts from the same EntraID.

About the Kerberos principle, Which REALM should I use to connect from On-premise Data Gateway?

  1. hive@REALM-A.COM
  2. or hive@REALM-B.COM

 

Our use case:

1) Developer develop a new report in PowerBI Desktop, using CDP Public Cloud Datahub (Cloudera Hive)

2) Developer publish the report to PowerBI Service, and share the record to a group.

using CDP Public Cloud Datahub (Cloudera Hive)

3) Users in the group can access the report with Impersonate.

 

I checked the MS documentation, and found this, I have already configed On-premise data gateway connect Cloudera Hive with Kerberos.

https://learn.microsoft.com/en-us/power-bi/connect-data/service-gateway-sso-kerberos#step-4-configur...

 

Also in this document,

https://learn.microsoft.com/en-us/power-platform-release-plan/2020wave2/cdm-data-integration/support...

It mentioned that "Support for Kerberos SSO for Hive LLAP in Power BI"

 

2 REPLIES 2
zzeng
Frequent Visitor

@v-xiandat-msft  Thanks for your reply!

 

Our purpose is doing impersonation when using PowerBI Service to access Cloudera Hive.

Question:

When doing impersonation in On-premise Data Gateway, what Kerberos key will On-premise data gateway send to Cloudera Hive?

 

Details:

When we use hive@REALM-B.COM, we can get the right UPN according to the On-premise data gateway log.

The PowerBI Service user is "zzeng_admin01@zzengtestad.onmicrosoft.com" (to say, zzeng_admin01@REALM-A), and in On-premise gateway, it replaced it to "zzeng_admin01".

My expectation is, On-premise data gateway will create a new Kerberos ticket zzeng_admin01 (which is current PowerBI User UPN) and use it to access Cloudera Hive, but in fact On-premise data gateway used the fixed Kerberos  ticket hive@REALM-B.COM.

 

Do you have any comments/advices on this?

 

Appreciate!

 

 

 

v-xiandat-msft
Community Support
Community Support

Hi @zzeng ,

To connect from your On-premise Data Gateway to Cloudera Hive using Kerberos, you should use the realm associated with the CDP Hive, which is REALM-B.COM. Therefore, the Kerberos principal should be hive@REALM-B.COM.

This is because the CDP Hive is using FreeIPA with the realm REALM-B.COM, and even though both realms are synchronizing accounts from the same EntraID, the authentication should align with the realm of the service you are connecting to.

Best Regards,

Xianda Tang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

AugPowerBI_Carousel

Power BI Monthly Update - August 2024

Check out the August 2024 Power BI update to learn about new features.

August Carousel

Fabric Community Update - August 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors