Impersonation

User impersonation enables to run zeppelin interpreter process as a web frontend user

Setup

Linux User

1. Enable Shiro auth in conf/shiro.ini

[users]
user1 = password1, role1
user2 = password2, role2

2. Enable password-less ssh for the user you want to impersonate (say user1).

adduser user1
#ssh-keygen (optional if you don't already have generated ssh-key.
ssh user1@localhost mkdir -p .ssh
cat ~/.ssh/id_rsa.pub | ssh user1@localhost 'cat >> .ssh/authorized_keys'

Alternatively instead of password-less, user can override ZEPPELINIMPERSONATECMD in zeppelin-env.sh

export ZEPPELIN_IMPERSONATE_CMD='sudo -H -u ${ZEPPELIN_IMPERSONATE_USER} bash -c '

4. Restart zeppelin server.

# for OSX, linux
bin/zeppelin-daemon restart

# for windows
bin\zeppelin.cmd

5. Configure impersonation for interpreter


Go to interpreter setting page, and enable "User Impersonate" in any of the interpreter (in my example its shell interpreter)

6. Test with a simple paragraph

%sh
whoami

Note that usage of "User Impersonate" option will enable Spark interpreter to use --proxy-user option with current user by default. If you want to disable --proxy-user option, then refer to ZEPPELIN_IMPERSONATE_SPARK_PROXY_USER variable in conf/zeppelin-env.sh

LDAP User with kerberized HDFS

1. Set the user(zeppelin) to be enable to set proxyuser in core-site.xml

<property>
  <name>hadoop.proxyuser.zeppelin.groups</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.zeppelin.users</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.zeppelin.hosts</name>
  <value>*</value>
</property>

2. Set the group to be enable to connect Hive metastore in 'core-site.xml'

<property>
  <name>hadoop.proxyuser.hive.groups</name>
  <value>zeppelin</value>
</property>

3. Enable Kerberos setting in zeppelin-site.xml

<property>
  <name>zeppelin.server.kerberos.keytab</name>
  <value>zeppelin.keytab</value>
</property>

<property>
  <name>zeppelin.server.kerberos.principal</name>
  <value>zeppelin@principal</value>
</property>

4. Restart zeppelin server.

# for OSX, linux
bin/zeppelin-daemon restart

# for windows
bin\zeppelin.cmd

5. Configure impersonation for interpreter

Option

The interpreter will be instantiated Per User in isolated process

User impersonate