Zeppelin with impersonation and kerberos

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Zeppelin with impersonation and kerberos

Alexander.Meier

Hello users

 

We have a cloudera cdh cluster where users are running their notebooks/interpreters in impersonated mode (interpreter instantiated per user in isolated process, User Impersonate checked).

Most commonly used are the following interpreters:

·         Spark

·         Impala (jdbc interpreter group)

·         Phoenix (jdbc interpreter group)

·         HBase

·         Hive (jdbc interpreter group)

 

We want to kerberize that cluster and I have tested user impersonation and kerberos on a test cluster with zeppelin 0.7.3, user authentication in ldap and authorization with kerberos… but I can’t get it to work. Not with a single one of the interpretes mentioned above.

Unfortunately I haven’t found any helpful documentation about how to configure such a setup. Most how-to’s are covering kerberized cluster with an interpreter specific keytab … is that really the only way?

Or am I missing the obious?

 

Thanks

Alex

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Zeppelin with impersonation and kerberos

Jeff Zhang

IIRC, spark interpreter of zeppelin doesn't support impersonation in kerberized cluster.  You can use livy interpreter instead which support this.


<[hidden email]>于2017年11月25日周六 上午5:56写道:

Hello users

 

We have a cloudera cdh cluster where users are running their notebooks/interpreters in impersonated mode (interpreter instantiated per user in isolated process, User Impersonate checked).

Most commonly used are the following interpreters:

·         Spark

·         Impala (jdbc interpreter group)

·         Phoenix (jdbc interpreter group)

·         HBase

·         Hive (jdbc interpreter group)

 

We want to kerberize that cluster and I have tested user impersonation and kerberos on a test cluster with zeppelin 0.7.3, user authentication in ldap and authorization with kerberos… but I can’t get it to work. Not with a single one of the interpretes mentioned above.

Unfortunately I haven’t found any helpful documentation about how to configure such a setup. Most how-to’s are covering kerberized cluster with an interpreter specific keytab … is that really the only way?

Or am I missing the obious?

 

Thanks

Alex

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Zeppelin with impersonation and kerberos

Keiji Yoshida
I'm managing Zeppelin which uses the LDAP authentication and submits Spark applications to the Kerberized Hadoop cluster in impersonation mode via the Livy interpreter at my company.


On Sat, Nov 25, 2017 at 11:14 AM, Jeff Zhang <[hidden email]> wrote:

IIRC, spark interpreter of zeppelin doesn't support impersonation in kerberized cluster.  You can use livy interpreter instead which support this.


<[hidden email]>于2017年11月25日周六 上午5:56写道:

Hello users

 

We have a cloudera cdh cluster where users are running their notebooks/interpreters in impersonated mode (interpreter instantiated per user in isolated process, User Impersonate checked).

Most commonly used are the following interpreters:

·         Spark

·         Impala (jdbc interpreter group)

·         Phoenix (jdbc interpreter group)

·         HBase

·         Hive (jdbc interpreter group)

 

We want to kerberize that cluster and I have tested user impersonation and kerberos on a test cluster with zeppelin 0.7.3, user authentication in ldap and authorization with kerberos… but I can’t get it to work. Not with a single one of the interpretes mentioned above.

Unfortunately I haven’t found any helpful documentation about how to configure such a setup. Most how-to’s are covering kerberized cluster with an interpreter specific keytab … is that really the only way?

Or am I missing the obious?

 

Thanks

Alex

 

 

 


Reply | Threaded
Open this post in threaded view
|

Re: Zeppelin with impersonation and kerberos

Ruslan Dautkhanov
1) Just as an idea, you also could run separate zeppelin servers for each of users (if there are just handful of them).

2) Livy interpreter was already mentioned.

3)
On a separate note, if two jiras in [1] were implemented, it would be possible to set for example 
keytab location in Spark interpreter settings to something like "~/.keytab".
So "~" would mean actual user's specific home directory. And because of ZEPPELIN-2703's setuid()
call, only properly authenticated users would be able to read their own keytab files.
This would implement exactly what you're looking for without using Livy interpreter.



[1]




--
Ruslan Dautkhanov

On Fri, Nov 24, 2017 at 7:54 PM, Keiji Yoshida <[hidden email]> wrote:
I'm managing Zeppelin which uses the LDAP authentication and submits Spark applications to the Kerberized Hadoop cluster in impersonation mode via the Livy interpreter at my company.


On Sat, Nov 25, 2017 at 11:14 AM, Jeff Zhang <[hidden email]> wrote:

IIRC, spark interpreter of zeppelin doesn't support impersonation in kerberized cluster.  You can use livy interpreter instead which support this.


<[hidden email]>于2017年11月25日周六 上午5:56写道:

Hello users

 

We have a cloudera cdh cluster where users are running their notebooks/interpreters in impersonated mode (interpreter instantiated per user in isolated process, User Impersonate checked).

Most commonly used are the following interpreters:

·         Spark

·         Impala (jdbc interpreter group)

·         Phoenix (jdbc interpreter group)

·         HBase

·         Hive (jdbc interpreter group)

 

We want to kerberize that cluster and I have tested user impersonation and kerberos on a test cluster with zeppelin 0.7.3, user authentication in ldap and authorization with kerberos… but I can’t get it to work. Not with a single one of the interpretes mentioned above.

Unfortunately I haven’t found any helpful documentation about how to configure such a setup. Most how-to’s are covering kerberized cluster with an interpreter specific keytab … is that really the only way?

Or am I missing the obious?

 

Thanks

Alex