Impersonation
User impersonation enables to run zeppelin interpreter process as a web frontend user
Setup
Linux User
1. Enable Shiro auth in conf/shiro.ini
[users]
user1 = password1, role1
user2 = password2, role2
2. Enable password-less ssh for the user you want to impersonate (say user1).
adduser user1
#ssh-keygen (optional if you don't already have generated ssh-key.
ssh user1@localhost mkdir -p .ssh
cat ~/.ssh/id_rsa.pub | ssh user1@localhost 'cat >> .ssh/authorized_keys'
Alternatively instead of password-less, user can override ZEPPELINIMPERSONATECMD in zeppelin-env.sh
export ZEPPELIN_IMPERSONATE_CMD='sudo -H -u ${ZEPPELIN_IMPERSONATE_USER} bash -c '
4. Restart zeppelin server.
# for OSX, linux
bin/zeppelin-daemon restart
# for windows
bin\zeppelin.cmd
5. Configure impersonation for interpreter
Go to interpreter setting page, and enable "User Impersonate" in any of the interpreter (in my example its shell interpreter)
6. Test with a simple paragraph
%sh
whoami
Note that usage of "User Impersonate" option will enable Spark interpreter to use --proxy-user
option with current user by default. If you want to disable --proxy-user
option, then refer to ZEPPELIN_IMPERSONATE_SPARK_PROXY_USER
variable in conf/zeppelin-env.sh
LDAP User with kerberized HDFS
1. Set the user(zeppelin) to be enable to set proxyuser in core-site.xml
<property>
<name>hadoop.proxyuser.zeppelin.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.zeppelin.users</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.zeppelin.hosts</name>
<value>*</value>
</property>
2. Set the group to be enable to connect Hive metastore in 'core-site.xml'
<property>
<name>hadoop.proxyuser.hive.groups</name>
<value>zeppelin</value>
</property>
3. Enable Kerberos setting in zeppelin-site.xml
<property>
<name>zeppelin.server.kerberos.keytab</name>
<value>zeppelin.keytab</value>
</property>
<property>
<name>zeppelin.server.kerberos.principal</name>
<value>zeppelin@principal</value>
</property>
4. Restart zeppelin server.
# for OSX, linux
bin/zeppelin-daemon restart
# for windows
bin\zeppelin.cmd
5. Configure impersonation for interpreter
Option
The interpreter will be instantiated Per User in isolated process
User impersonate