Dear team
What parameter does PowerBI Service ( On-premise Data Gateway ) sending to Cloudera Hive for Impersonation?
Is it sending DelegationUID?
Details:
I am trying to implement a Cloudera Hive for impersonation.
It's PowerBI Service ( Data Gateway ) connecting Cloudera Hive in CDP .
I have already tested
1) PowerBI Service can access the Cloudera Hive with Kerberos (Windows Auth) and fetch data
2) On-premise data gateway and CDP Hive is using the same AD
3) I enabled the SSO in PowerBI Service connection, and passed the test.
*
I am using the following settings:
- On-premise data gateway is using account [admin], and we inititated a Kerberos ticket [admin@REALM_NAME_01]
- Current user in PowerBI Service is using account [zzeng_admin01@*****.onmicrosoft.com], and it was replaced to [zzeng_admin01] in On-premise data gateway.
When I use Power BI Service to access the Cloudera Hive, Hive recogonize the user [admin] accessing it , not [zzeng_admin01] as expected.
CreateWindowsIdentityV1 userPrincipalName <euii>zzeng_admin01</euii>
About to execute function as impersonated user <euii>REALM_NAME_01\zzeng_admin01</euii> (IsAuthenticated: True, ImpersonationLevel: Impersonation)...
dsrJson: <ccon>{"protocol":"x-datasource","authentication":null,"address":{"kind":"ApacheHive","path":"base-master1.*******.cloudapp.net:10000;default;1"},"query":null}</ccon>, CredentialDetails.EncryptedConnection:NotEncrypted, useEncryptedConnection:False
Hive Log showed that it is still accessed by the user [admin] not [zzeng_admin01] (expecting zzeng_admin01)
org.apache.hive.service.cli.operation.Operation: [2576281b-726b-4e0a-a534-b9559d923b62 HiveServer2-Handler-Pool: Thread-329]: [opType=EXECUTE_STATEMENT, queryId=hive_20240808185633_02c6e891-38fa-442e-85da-f5356f14dbb5, startTime=1723110993585, sessionId=2576281b-726b-4e0a-a534-b9559d923b62, createTime=1723110993550, userName=admin, ipAddress=172.16.64.4]
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient: [2576281b-726b-4e0a-a534-b9559d923b62 HiveServer2-Handler-Pool: Thread-329]: RetryingMetaStoreClient proxy=class org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient ugi=admin (auth:PROXY) via hive/base-master1.******.lx.internal.cloudapp.net@******.LX.INTERNAL.CLOUDAPP.NET (auth:KERBEROS) retries=1 delay=1 lifetime=0
Do you have any information about what's On-premise data gateway sending to Cloudera Hive for Impersonation?