We have a cloudera cdh cluster where users are running their notebooks/interpreters in impersonated mode (interpreter instantiated per user in isolated process, User Impersonate checked).
Most commonly used are the following interpreters:
· Impala (jdbc interpreter group)
· Phoenix (jdbc interpreter group)
· Hive (jdbc interpreter group)
We want to kerberize that cluster and I have tested user impersonation and kerberos on a test cluster with zeppelin 0.7.3, user authentication in ldap and authorization with kerberos… but I can’t get it to work. Not with a single one of the interpretes mentioned above.
Unfortunately I haven’t found any helpful documentation about how to configure such a setup. Most how-to’s are covering kerberized cluster with an interpreter specific keytab … is that really the only way?
Or am I missing the obious?
IIRC, spark interpreter of zeppelin doesn't support impersonation in kerberized cluster. You can use livy interpreter instead which support this.
I'm managing Zeppelin which uses the LDAP authentication and submits Spark applications to the Kerberized Hadoop cluster in impersonation mode via the Livy interpreter at my company.
Hortonworks's Zeppelin guide helped me a lot: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_zeppelin-component-guide/content/index.html
On Sat, Nov 25, 2017 at 11:14 AM, Jeff Zhang <[hidden email]> wrote:
1) Just as an idea, you also could run separate zeppelin servers for each of users (if there are just handful of them).
2) Livy interpreter was already mentioned.
On a separate note, if two jiras in  were implemented, it would be possible to set for example
keytab location in Spark interpreter settings to something like "~/.keytab".
So "~" would mean actual user's specific home directory. And because of ZEPPELIN-2703's setuid()
call, only properly authenticated users would be able to read their own keytab files.
This would implement exactly what you're looking for without using Livy interpreter.
On Fri, Nov 24, 2017 at 7:54 PM, Keiji Yoshida <[hidden email]> wrote:
|Free forum by Nabble||Edit this page|