Configuring SSO for the Cloudera Impala connector

Warning: The single sign-on (SSO) functionality in the Cloudera Impala Connector is a Beta version.

With a single sign-on (SSO) solution, you can minimize the number of times a user has to log on to access apps and websites.

When you set up Cloudera Impala as a data source in Qlik Sense, you can configure Cloudera Impala for SSO. You store the Qlik Sense user credentials and define a trusted relationship so that the system passes the Qlik Sense credentials to Cloudera Impala.

Users who create apps using the Cloudera Impala Connector in the Qlik ODBC Connector Package can authenticate the connection with SSO. If the app data is loaded in-memory, access to the data is controlled from within Qlik Sense.

To configure SSO for Cloudera Impala, you must:

  • Create the Cloudera Manager Principal.
  • Set up a "Kerberized" Cloudera cluster.
  • Install and configure Sentry.
  • Test the configuration.
Warning: If you are configuring SSO for a generic ODBC connection instead of with the Qlik ODBC Connector Package, use the following configuration instructions: Configuring Cloudera Impala for single sign-on.

Creating the Cloudera Manager Principal

Do the following:

  1. Create an Organizational Unit (OU) in your Active Directory setup where all the principals used by your CDH cluster will reside.
  2. Add a new user account to Active Directory to be used as the Cloudera Manager Principal.

    The password should be set to never expire.

  3. Use Active Directory's Delegate Control wizard to allow this new user to Create, delete, and manage user accounts.

Setting up a "Kerberized" Cloudera cluster

Do the following:

  1. Use the Cloudera Kerberos wizard to set up Kerberos authentication for the Cloudera cluster running Impala.
  2. Configure the cluster so that the generic Cloudera Impala ODBC driver can connect using Kerberos principal authentication and can delegate connection to other users.

See the Cloudera documentation for details: Cloudera documentation

Install and configure Sentry

Sentry must be used for authorization.

Do the following:

  1. Install and configure the Sentry package.
  2. Verify that the Sentry service has been added to the Cloudera cluster.
  3. Configure Cloudera Impala to use Sentry.

Testing the configuration

On the system where Qlik Sense Enterprise on Windows is installed, create a connection to Cloudera Impala using the generic Cloudera ODBC driver.

If the connection works with the generic Cloudera ODBC driver, then connections made with the Cloudera Impala Connector in the ODBC Connector Package will also work.

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?