home User Guide Getting Started Help Center Documentation Community Training Certification
Looker keyboard_arrow_down
language keyboard_arrow_down
Looker documentation will be moving to cloud.google.com in mid-2022!
All the information you rely on will be migrated and all docs.looker.com URLs will be redirected to the appropriate page.
Cloudera Impala

Dialects that use these instructions

Cloudera Impala share the database setup requirements described on this page.

Configuring Looker to connect to Cloudera Impala

Looker connects to any database through a JDBC connection. By default, on Cloudera Impala this is the server running the impalad daemon on port 21050.

In the Admin section of Looker, select Connections, and then select New Connection.

The Looker connection configuration depends on the security that is being used:

Connecting to a cluster without Kerberos or user authentication

To configure a connection that isn’t using Kerberos or user authentication:

  1. On the Connection Settings page, leave the Username and Password fields blank. (The * next to the field names implies that these fields are required, but they are not.)
  2. In the Additional Params field, enter ;auth=noSasl.

Verifying the connection string

To verify the JDBC connection string in the log files, in the Looker Admin panel, click Log in the left menu. Then filter the log on a term such as jdbc or noSasl:

For more information about configuring Cloudera Impala to work with JDBC, see the Cloudera documentation.

Connecting to a cluster requiring LDAP authentication

For a cluster that requires LDAP authentication, including a cluster with Apache Sentry and Kerberos, on the Connection Settings page, enter a Username and Password with access to the schemas Looker will access.

Connecting to a cluster secured with Kerberos, but not using Apache Sentry

The Looker analyst team may need to assist in configuring this correctly.

Usually, Kerberos authentication with Cloudera environments is handled through Apache Sentry. See the Cloudera documentation for more details.

If you want to configure Looker to connect directly to Cloudera Impala using Kerberos authentication, follow the steps on this page.

Setting up the Kerberos client configuration

The first thing to do is ensure the installation of several pieces of software and the presence of several files on the Looker machine.

Kerberos client

Verify that the Kerberos client is installed on the Looker machine by trying to run kinit. If it’s not, install the Kerberos client’s binaries.

For example, on Redhat/CentOS, this would be:

sudo yum install krb5-workstation krb5-libs krb5-auth-dialog

Java 8

Java 8 must be installed on the Looker machine and in the PATH and JAVA_HOME of the Looker user. If necessary, install it locally in the looker directory.

Java Cryptography Extension

  1. Download and install the Java Cryptography Extension (JCE) for Java 8 from the Oracle website.

    • Locate the jre/lib/security directory for the Java installation.
    • Remove the following JAR files from this directory: local_policy.jar and US_export_policy.jar.
    • Replace these two files with the JAR files included in the JCE Unlimited Strength Jurisdiction Policy Files download.

    It may be possible to use versions of Java prior to Java 8 with the JCE installed, but this is not recommended.

  2. Update JAVA_HOME and PATH in ~looker/.bash_profile to point to the correct installation of Java and source ~/.bash_profile or log out and in again.

  3. Verify the Java version with java -version.

  4. Verify the JAVA_HOME environment variable with echo $JAVA_HOME.


Create a gss-jaas.conf file in the looker directory with these contents:

com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required

If necessary for testing, debug=true can be added to this file like this:

com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required


The server running Looker should also have a valid krb5.conf file. By default, this file is in /etc/krb5.conf. If it is in another location, that must be indicated in the environment (KRB5_CONFIG in the shell environment).

You may need to copy this from another Kerberos client machine.


Point to the gss-jaas.conf and krb5.conf files by making a file in the looker directory (the same directory that contains the looker startup script) called lookerstart.cfg that contains the following lines:

JAVAARGS="-Djava.security.auth.login.config=/path/to/gss-jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=/etc/krb5.conf" LOOKERARGS=""

If the krb5.conf file is not at /etc/krb5.conf then it will also be necessary to add this variable:


For debugging, add these variables:

-Dsun.security.jgss.debug=true -Dsun.security.krb5.debug=true

Then restart Looker with ./looker restart.

Authenticating with Kerberos

User authentication

  1. If krb5.conf is not in /etc/, then use the environment variable KRB5_CONFIG to indicate its location.

  2. Run the command klist to make sure there is a valid ticket in the Kerberos ticket cache.

  3. If there is no ticket, run kinit username@REALM or kinit username to create the ticket.

  4. The account used with Looker will likely be headless, so you can get a keytab file from Kerberos to store the credential for long-term use. Use a command like kinit -k -t looker_user.keytab username@REALM to get the Kerberos ticket.

Automatically renewing the ticket

Set up a cron job that runs every so often to keep an active ticket in the Kerberos ticket cache. How often this should run depends on the configuration of the cluster. klist should give an indication of how soon tickets expire.

Setting up the Looker connection

In the Admin section of Looker, select Connections, and then select New Connection.

Fill out the connection details as follows (see the Connecting Looker to your database documentation page for more information):

It is a best practice to have the server name (impala.company.com in this example) be the canonical name for the server and its IP address’s reverse DNS lookup results in that name. However, the server name should be whatever is listed in the Kerberos domain controller:

nslookup servername # get canonical server name and IP address nslookup ipaddress # get the canonical name back

Sometimes the server name is set to be the hostname, and not the fully qualified domain name. In this case it may be necessary to modify the /etc/hosts and /etc/nsswitch.conf files to make sure that reverse lookups resolve as intended.

Test the connection to make sure that it is configured correctly.




The user connecting to the scratch schema for PDTs must have read/write permissions.


For more information, see the Configuring Impala to work with JDBC section in the Cloudera documentation.

Feature support

For Looker to support some features, your database dialect must also support them.

In Looker 22.10, Cloudera Impala support the following Looker features:

In Looker 22.10, Cloudera Impala 3.1+ supports the following Looker features:

Next steps

After you have connected your database to Looker, configure sign-in options for your users.