Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
zzeng
Frequent Visitor

What does PowerBI Service ( Data Gateway ) sending to Cloudera Hive for Impersonation?

‎08-08-2024 03:17 AM

Dear team

 

What parameter does PowerBI Service ( On-premise Data Gateway ) sending to Cloudera Hive for Impersonation?

Is it sending DelegationUID parameter?

 

Details:

I am trying to implement a Cloudera Hive for impersonation.

It's PowerBI Service ( Data Gateway ) connecting Cloudera Hive in CDP  .

I have already tested 

1) PowerBI Service can access the Cloudera Hive with Kerberos (Windows Auth) and fetch data

2) On-premise data gateway and CDP Hive is using the same AD

3) I enabled the SSO in PowerBI Service connection, and passed the test.

 

zzeng_0-1723109071221.png

 

I am using the following settings:

  • On-premise data gateway is using account [admin], and we inititated a Kerberos ticket [admin@REALM_NAME_01]
  • Current user in PowerBI Service is using account [zzeng_admin01@*****.onmicrosoft.com], and it was replaced to [zzeng_admin01] in On-premise data gateway.

When I use Power BI Service to access the Cloudera Hive, Hive recogonize the user [admin] accessing it , not [zzeng_admin01] as expected.

CreateWindowsIdentityV1 userPrincipalName <euii>zzeng_admin01</euii>
About to execute function as impersonated user <euii>REALM_NAME_01\zzeng_admin01</euii> (IsAuthenticated: True, ImpersonationLevel: Impersonation)...
dsrJson: <ccon>{"protocol":"x-datasource","authentication":null,"address":{"kind":"ApacheHive","path":"base-master1.*******.cloudapp.net:10000;default;1"},"query":null}</ccon>, CredentialDetails.EncryptedConnection:NotEncrypted, useEncryptedConnection:False

Hive Log showed that it is still accessed by the user [admin] not [zzeng_admin01] (expecting zzeng_admin01)

org.apache.hive.service.cli.operation.Operation: [2576281b-726b-4e0a-a534-b9559d923b62 HiveServer2-Handler-Pool: Thread-329]: [opType=EXECUTE_STATEMENT, queryId=hive_20240808185633_02c6e891-38fa-442e-85da-f5356f14dbb5, startTime=1723110993585, sessionId=2576281b-726b-4e0a-a534-b9559d923b62, createTime=1723110993550, userName=admin, ipAddress=172.16.64.4]
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient: [2576281b-726b-4e0a-a534-b9559d923b62 HiveServer2-Handler-Pool: Thread-329]: RetryingMetaStoreClient proxy=class org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient ugi=admin (auth:PROXY) via hive/base-master1.******.lx.internal.cloudapp.net@******.LX.INTERNAL.CLOUDAPP.NET (auth:KERBEROS) retries=1 delay=1 lifetime=0

 

Do you have any information about what's On-premise data gateway sending to Cloudera Hive for Impersonation?

Labels:
Message 1 of 7
398 Views
0
1 ACCEPTED SOLUTION
lbendlin
Super User
Super User
In response to zzeng

‎08-09-2024 09:50 AM

Might be worth going through these troubleshooting steps

 

Authentication and Kerberos Issues | CDP Private Cloud (cloudera.com)

View solution in original post

Message 6 of 7
294 Views
0
6 REPLIES 6
zzeng
Frequent Visitor

‎08-14-2024 05:30 AM

Dear team

 

Thanks for your comments.

This was resolved.

 

My solution:

1) Remove MIT Kerberos

2) Fix my DNS server settings, to make sure that I can get the correct reverse DNS search

Message 7 of 7
228 Views
lbendlin
Super User
Super User

‎08-08-2024 11:08 AM

What connector are you using?  Cloudera ODBC 2.7 ?  Whatever you specify in the ODBC control panel will be sent over.

Message 2 of 7
345 Views
0
zzeng
Frequent Visitor
In response to lbendlin

‎08-08-2024 05:01 PM

Hi @lbendlin , thanks for replying!

Yes, I am using Cloudera ODBC 2.7.

 

@lbendlin wrote:

Whatever you specify in the ODBC control panel will be sent over.

We can't specify "DelegationUID" in ODBC control panel because in impersonation, this ODBC connection is shared with a group of user, and we expect MS On-premise data gateway can dynamically set the DelegationUID with current login user's ID to pass it to Cloudera Hive.

Do you think this is possible?

Message 3 of 7
339 Views
0
lbendlin
Super User
Super User
In response to zzeng

‎08-09-2024 09:24 AM

what does your Cloudera ODBC setting look like?

 

lbendlin_0-1723220681416.png

 

Message 4 of 7
301 Views
0
zzeng
Frequent Visitor
In response to lbendlin

‎08-09-2024 09:44 AM

zzeng_0-1723221692588.png

Cloudera Hive ODBC setting:

  • Hosts: [Hive master node host name]
  • Port : 10000 (Binary mode)
  • Database:default
  • Auth Mechanism: Kerberos 
  • REALM : [the REALM in AD]
  • host FQDN:_HOST
  • Service Name: hive
  • SSL: No SSL

 

 

C:\Program Files\On-premises data gateway\m\ODBC Drivers\Simba Hive ODBC Driver.ini:

[Simba Hive ODBC Driver]
Driver=Cloudera ODBC Driver for Apache Hive\lib\ClouderaHiveODBC64.dll
HiveServerType=2
AuthMech=1
ThriftTransport=1
ServiceDiscoveryMode=0
ZKNamespace=
KrbRealm=******.LX.INTERNAL.CLOUDAPP.NET
KrbHostFQDN=_HOST
KrbServiceName=hive
Port=10000
Schema=default
UseNativeQuery=0
GetTablesWithQuery=1
SSL=0

 

 

I can pass the Cloudrea Hive ODBC test with MIT Kerberos installed.

 

Message 5 of 7
297 Views
0
lbendlin
Super User
Super User
In response to zzeng

‎08-09-2024 09:50 AM

Might be worth going through these troubleshooting steps

 

Authentication and Kerberos Issues | CDP Private Cloud (cloudera.com)

Message 6 of 7
295 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All