Configuring Cloudera Impala for single sign-on
With a single sign-on (SSO) solution, you can minimize the number of times a user has to log on to access apps and websites.
When you set up Cloudera Impala as a data source in Qlik Sense, you can configure Cloudera Impala for SSO. You store the Qlik Sense user credentials and define a trusted relationship so that the system passes the Qlik Sense credentials from Qlik Sense to Cloudera Impala.
Users who create apps using an SSO data connection to Cloudera Impala are authenticated in Cloudera Impala. If the app data is loaded in-memory, access to the data is controlled from within Qlik Sense. To prevent the creation of other Cloudera Impala data source connections, you should set the security rules in the QMC so that ODBC data connections cannot be created.
Setting up SSO for Cloudera Impala
To set up SSO for Cloudera Impala, you first need to set up a "kerberized" cluster, that is, a cluster that forces Kerberos authentication, and use Sentry for authorization. Then you need to add users who can do impersonation in Cloudera Manager, install the vendor ODBC drivers, create a data source to Cloudera Impala, configure Qlik Sense, and create an ODBC connection to Cloudera Impala.
Do the following:
-
Set up a "kerberized" cluster that forces Kerberos authentication and use Sentry for authorization.
See the Cloudera documentation for details: Cloudera
-
Add users who can do impersonation in Cloudera Manager.
-
In Cloudera Manager, navigate to the Impala cluster and select Configuration.
-
Search for proxy user.
-
In Proxy User Configuration, add the service account users who are allowed to impersonate other users.
In the following example, the service account user svc-bob12 can impersonate users.
Example: hue=*;svc-sensecloudera58=*;svc-bob12=*;
- Restart the Cloudera services.
-
- Install the vendor ODBC drivers.
- Create a data source to Cloudera Impala.
-
Configure Qlik Sense (if needed).
-
Navigate to %ProgramData%\Qlik\Sense\Engine and open Settings.ini.
- Edit the settings, see SSO settings in Settings.ini, and save.
- Restart the Qlik Sense Engine Service.
-
-
Create an ODBC connection to Cloudera Impala using Qlik Sense.
- Open the data load editor.
-
Create an ODBC connection and under Logon credentials, select Single Sign-On.
-
In the data model viewer, verify that the available data aligns with the privileges of the mapped database user.
The setup is complete.
SSO settings in Settings.ini
Setting | Default value | Possible values |
---|---|---|
SSODisableLogOn | 0 |
|
SSOCasing | 0 |
|
SSOExternalId | 0 |
|