What's a best way to have a multi-tennant Zeppelin notebook? It seems we currently will have to ask users to run their own Zeppelin instances. Since each user has its own authethentication & authorization based on user who runs Zeppelin server.
I see best solution could be to have probably --keytab and --principal to be notebook-level parameters rather than server-level. So, for example, I can see Zeppelin multitennancy could be implemented as 1) users after being authenticated through LDAP, 2) that user gets mapped to a --keytab and --principal pair specific for that user so in-Hadoop HDFS, Hive etc access will be specific for that user (through HDFS ACL, and Sentry/Ranger roles). Another way: It might be easier to implement through spark-submit's --proxy-user parameter, but I am not sure details in this case. I know that for example Cloudera's Hue is using proxy authentication quite successfully in our organization. I.e. Hue does LDAP authentication, and then impersonates to that specific user and all requests are made on behalf of that user (although `hue` is actual OS user that runs Hue service). Other Hadoop services are just configured to trust user `hue` to impersonate to other users. Is there is a better way? Anything in Zeppelin roadmap to bring user multitennancy? Thank you, Ruslan Dautkhanov
