Configuring Cloudera Impala for single sign-on

With a single sign-on (SSO) solution, you can minimize the number of times a user has to log on to access apps and websites.

When you set up Cloudera Impala as a data source in Qlik Sense, you can configure Cloudera Impala for SSO. You store the Qlik Sense user credentials and define a trusted relationship so that the system passes the Qlik Sense credentials from Qlik Sense to Cloudera Impala.

Users who create apps using an SSO data connection to Cloudera Impala are authenticated in Cloudera Impala. If the app data is loaded in-memory, access to the data is controlled from within Qlik Sense. To prevent the creation of other Cloudera Impala data source connections, you should set the security rules in the QMC so that ODBC data connections cannot be created.

Avertissement: The Cloudera Impala Connector in the Qlik ODBC Connector Package also supports SSO. If you are using the connector in the ODBC Connector Package, use the following configuration instructions: Configuring SSO for the Cloudera Impala connector. (uniquement en anglais)
Remarque: Only the vendor supplied driver works in this configuration, not the driver in the Qlik Connector Package.
Remarque: This configuration is for Cloudera Impala only, Hive requires a different configuration option.

Setting up SSO for Cloudera Impala

To set up SSO for Cloudera Impala, you first need to set up a "kerberized" cluster, that is, a cluster that forces Kerberos authentication, and use Sentry for authorization. Then you need to add users who can do impersonation in Cloudera Manager, install the vendor ODBC drivers, create a data source to Cloudera Impala, configure Qlik Sense, and create an ODBC connection to Cloudera Impala.

Procédez comme suit :

  1. Set up a "kerberized" cluster that forces Kerberos authentication and use Sentry for authorization.

    See the Cloudera documentation for details: Cloudera

  2. Add users who can do impersonation in Cloudera Manager.

    1. In Cloudera Manager, navigate to the Impala cluster and select Configuration.

    2. Search for proxy user.

    3. In Proxy User Configuration, add the service account users who are allowed to impersonate other users.

      In the following example, the service account user svc-bob12 can impersonate users.

      Example: hue=*;svc-sensecloudera58=*;svc-bob12=*;

      Proxy user configuration for Cloudera Impala only
    4. Restart the Cloudera services.
  3. Install the vendor ODBC drivers.
  4. Create a data source to Cloudera Impala.
  5. Configure Qlik Sense (if needed).

    1. Navigate to %ProgramData%\Qlik\Sense\Engine and open Settings.ini.

    2. Edit the settings, see SSO settings in Settings.ini, and save.
    3. Restart the Qlik Sense Engine Service.
  6. Create an ODBC connection to Cloudera Impala using Qlik Sense.

    1. Open the data load editor.
    2. Create an ODBC connection and under Logon credentials, select Single Sign-On.

    3. In the data model viewer, verify that the available data aligns with the privileges of the mapped database user.

The setup is complete.

SSO settings in Settings.ini

Setting Default value Possible values
SSODisableLogOn 0

0: Enables SSO

1: Disables SSO

SSOCasing 0

0: Case sensitive

>0: Upper case

<0: Lower case

SSOExternalId 0

0: QlikId (domain\username)

1: UPN (username@domain.com)

2: username

See also: