Connecting Tableau to Hive Server 2 Using Kerberos Authentication

Beginning with Tableau 8.0.4, you can connect to Hive Server 2 in secure mode using any one of the three Hadoop distributions offered through Tableau: Cloudera Hadoop, Hortonworks Hadoop, and MapR Hadoop.
There are two ways you can connect to Hive Server 2 in secure mode: using LDAP authentication or setting up and configuring the Kerberos utility for Kerberos authentication. This article covers the setup required on the Tableau client machine to connect to Hive Server 2 in secure mode using Kerberos-based authentication with the MIT Kerberos client. Contact your Hadoop support representative to assist you with the server-side setup that may be required on the Hadoop cluster.
Before you can connect to Hive Server 2 in secure mode using Kerberos authentication, additional software and configuration are required on the client machine where Tableau is installed. Specific ODBC drivers and the Kerberos utility must be installed. The Kerberos utility will be used to generate a ticket that the ODBC driver will use to authenticate and allow you to connect to Hive Server 2 in secure mode.
Before you can set up Kerberos, you will need to first perform the tasks listed under Prerequisites. Then use the procedure as a guideline to set up Kerberos on your machine and connect to Hive Server 2 in secure mode. These steps may vary depending on your environment and configuration.

Prerequisites

  • Install Tableau 8.0.4 or later
  • Install the correct ODBC driver: Download and install one of the following drivers depending on the Hadoop distribution you are using. Links to the specific drivers can be found on the Tableau Drivers page:
    • Cloudera: Install and configure the Cloudera ODBC 2.5 for Kerberos. Note: You must uninstall any older versions of the ODBC driver before installing the new driver.
    • Hortonworks: Install and configure the Hortonworks Hive ODBC Driver 1.2.x
    • MapR: Install and configure the MapR Hive ODBC 2.x driver.
  • Download and install MIT Kerberos for Windows (32-bit or 64-bit) 4.0.1: Download this tool from the MIT website: http://web.mit.edu/kerberos/dist/index.html.
  • Obtain a krb5.conf or .keytab file:
    • Preferred method - Obtain a krb5.conf file from your Kerberos administrator, rename the file to krb5.ini, and move it to the following location: C:\ProgramData\MIT\Kerberos5. Note: C:\ProgramData is a hidden folder.
    Or
    • Alternative method - Obtain a .keytab file from your Kerberos administrator, and save it to a location on your machine that you can later reference. This .keytab file is necessary for you to generate a Kerberos ticket.
Important: Tableau does not support or test the Kerberos utility. This article is intended to provide general guidance on configuring Kerberos to generate a ticket and authenticate Tableau so that you can connect to Hive Server 2 in secure mode.

Connect using the preferred method - krb5.ini file

Step 1

Click Start, and select All Programs > Kerberos for Windows > MIT Kerberos Ticket Manager.

Step 2

On the Home tab, click Get Ticket.

Step 3

In the Get Ticket dialog box, type the principal credentials and password that will be connecting to Hive Server 2. For example, the principal may look like: jsmith/krbtest@KRBTEST-LOCAL

Step 4

Click OK. Your ticket displays in the list.
Note: If you do not see a ticket in this list, do not proceed. Instead, work with your Kerberos administrator to help resolve any issues first.

Step 5 (Optional)

Test the connection to Hive Server 2 using the ODBC Administrator utility included with the ODBC driver, using the procedure listed here.

Step 6

Open Tableau Desktop.

Step 7

From the Connect to Data page, select one of the following: Cloudera HadoopHortonworks Hadoop Hive, or MapR Hadoop Hive.

Step 8

Follow the steps in the Connection dialog box to complete the connection. Make sure you select the HiveServer2 option under Step 2.
The Realm is only needed if your Kerberos setup does not define a default realm or if the realm of the Hive Server 2 is not the default. For the Host FQDN, type the name of the fully qualified domain name of the Hive Server 2 host. The Service Name must be “hive.”
In this example, the realm is KRBTEST-LOCAL, the host FQDN is krbhadoopcdh4.myco.com, and the service name ishive.

Connect using the alternative method - .keytab file

Step 1

Open the Command Prompt with administrator privileges and type the following command:
kinit -k -t
Note: Replace  with the full path and name of your .keytab file, and replace  with your Kerberos principal to use for authentication. For example: kinit –k –t c:\bw.keytab bw/krbtest@KRBTEST-LOCAL

Step 2

Type the following command to verify you have generated a Kerberos ticket: klist
Notes:
  • You can identify your ticket by the time stamp.
  • If you do not see a ticket in this list, do not proceed. Instead, work with your Kerberos administrator to help resolve any issues first.

Step 3

Open Tableau Desktop.

Step 4

From the Connect to Data page, select one of the following: Cloudera HadoopHortonworks Hadoop Hive, or MapR Hadoop Hive.

Step 5

Follow the steps in the Connection dialog box to complete the connection. Make sure you select the HiveServer2 option under Step 2.
The Realm is only needed if your Kerberos setup does not define a default realm or if the realm of the Hive Server 2 is not the default. For the Host FQDN, type the name of the fully qualified domain name of the Hive Server 2 host. The Service Name must be “hive”.
In this example, the realm is KRBTEST-LOCAL, the host FQDN is krbhadoopcdh4.myco.com, and the service name ishive.

Troubleshooting

Can’t generate ticket from Kerberos
If you are unable to generate a ticket in Kerberos, contact your Kerberos administrator.
“Unable to connect to the ODBC Data Source. Check that the necessary drivers are installed and that the connection properties are valid.”
If you see this error message in Tableau Desktop, make sure to configure the driver.
To configure the driver, go to the Driver Configuration utility for your driver. Complete the information in the dialog box.Note: Make sure you select the Hive Server 2 option from the Hive Server Type drop-down list.
Can’t connect using Tableau but the test connection is successful
If you are unable to connect to Hive Server 2 using Tableau Desktop but the test connection using the ODBC Administrator utility was successful, contact Tableau Support.

Test the connection to Hive Server 2

The latest ODBC drivers for Cloudera, Hortonworks, and MapR allow you to use the driver configuration utility to test the connection to Hive Server 2. To do this, go to the ODBC Administrator utility, and complete the procedure below.
  1. Click the System DSN tab.
  2. Click the Add button.
  3. Select the appropriate driver for your Hadoop distribution.
  4. Complete the information in the DSN Setup dialog box.
  5. Click the Test button. Test results display with either, “TESTS COMPLETED SUCCESSFULLY” or “TEST COMPLETED WITH ERROR.”
If the test completed successfully, continue to steps 6 in the Connect using the preferred method - krb5.ini file section above.
Note: If the test completes with an error, contact the Hadoop or Kerberos administrator or the Hadoop support representative to help resolve the connection issue.