layout: page title: “Impersonation” description: “Set up zeppelin interpreter process as web front end user.” group: usage/interpreter

{% include JB/setup %}

Impersonation

User impersonation enables to run zeppelin interpreter process as a web frontend user

Setup

Linux User

1. Enable Shiro auth in `conf/shiro.ini`

[users]
user1 = password1, role1
user2 = password2, role2

2. Enable password-less ssh for the user you want to impersonate (say user1).

adduser user1
#ssh-keygen (optional if you don't already have generated ssh-key.
ssh user1@localhost mkdir -p .ssh
cat ~/.ssh/id_rsa.pub | ssh user1@localhost 'cat >> .ssh/authorized_keys'

Alternatively instead of password-less, user can override ZEPPELIN_IMPERSONATE_CMD in zeppelin-env.sh

export ZEPPELIN_IMPERSONATE_CMD=(sudo -H -u "${ZEPPELIN_IMPERSONATE_USER}" bash -c)

4. Restart zeppelin server.

# for OSX, linux
bin/zeppelin-daemon restart

# for windows
bin\zeppelin.cmd

5. Configure impersonation for interpreter

Go to interpreter setting page, and enable “User Impersonate” in any of the interpreter (in my example its shell interpreter)

6. Test with a simple paragraph

%sh
whoami

Note that usage of “User Impersonate” option will enable Spark interpreter to use --proxy-user option with current user by default. If you want to disable --proxy-user option, then refer to ZEPPELIN_IMPERSONATE_SPARK_PROXY_USER variable in conf/zeppelin-env.sh

LDAP User with kerberized HDFS

1. Set the user(zeppelin) to be enable to set proxyuser in `core-site.xml`

<property>
  <name>hadoop.proxyuser.zeppelin.groups</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.zeppelin.users</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.zeppelin.hosts</name>
  <value>*</value>
</property>

2. Set the group to be enable to connect Hive metastore in ‘core-site.xml’

<property>
  <name>hadoop.proxyuser.hive.groups</name>
  <value>zeppelin</value>
</property>

3. Enable Kerberos setting in `zeppelin-site.xml`

<property>
  <name>zeppelin.server.kerberos.keytab</name>
  <value>zeppelin.keytab</value>
</property>

<property>
  <name>zeppelin.server.kerberos.principal</name>
  <value>zeppelin@principal</value>
</property>

4. Restart zeppelin server.

# for OSX, linux
bin/zeppelin-daemon restart

# for windows
bin\zeppelin.cmd

5. Configure impersonation for interpreter

Option

The interpreter will be instantiated Per User in isolated process

User impersonate

layout: page title: “Impersonation” description: “Set up zeppelin interpreter process as web front end user.” group: usage/interpreter

Impersonation

Setup

Linux User

1. Enable Shiro auth in conf/shiro.ini

2. Enable password-less ssh for the user you want to impersonate (say user1).

4. Restart zeppelin server.

5. Configure impersonation for interpreter

6. Test with a simple paragraph

LDAP User with kerberized HDFS

1. Set the user(zeppelin) to be enable to set proxyuser in core-site.xml

2. Set the group to be enable to connect Hive metastore in ‘core-site.xml’

3. Enable Kerberos setting in zeppelin-site.xml

4. Restart zeppelin server.

5. Configure impersonation for interpreter

1. Enable Shiro auth in `conf/shiro.ini`

1. Set the user(zeppelin) to be enable to set proxyuser in `core-site.xml`

3. Enable Kerberos setting in `zeppelin-site.xml`