Github user Tagar commented on the issue:
https://github.com/apache/zeppelin/pull/2407
Great addition. Thank you.
Btw, `renew_lifetime` although can be set in `krb5.conf`, it's maximum
value is limited on Active Directory side if AD is used for Kerberos, look for
example [Kerberos
Policy](https://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx#w2k3tr_sepol_accou_set_hpjo)
.
Might be worth adding to the documentation?
> A user whoever configures Zeppelin with this configuration i.e. have a
keytab/principal configured and enable "user impersonation", is aware that this
keytab file is being shared with various users (which is not the default
interpreter setting that we ship with Zeppelin), and if (s)he doesn't want this
behaviour they can always fall back to the default option (which is not
configuring any).
Would be great if Zeppelin would launch user's own Zeppelin interpreter
processes under their own uid through setuid() call. So then keytabs could be
locked down to be accessible to that one user. For example, after I
LDAP-authenticated as "tagar" user, Zeppelin will drop down uid to tagar user
and its keytab will have unix access bits set to `0600`. Makes sense? This
probably should be part of another jira though.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
