Thank you a lot moon! > Interpreter Impersonation [1] is recently introduced and there is further improvement in progress [2].
Very cool. Please consider checking https://issues.apache.org/jira/browse/ZEPPELIN-1660 too as we would always run into this to make Zeppelin not have any user-specific paths. > I didn't see any issue about impersonate spark interpreter using --proxy-user. Do you mind create one? Complete: https://issues.apache.org/jira/browse/ZEPPELIN-1730 Thank you. -- Ruslan Dautkhanov On Tue, Nov 29, 2016 at 3:30 PM, moon soo Lee <m...@apache.org> wrote: > Interpreter Impersonation [1] is recently introduced and there is further > improvement in progress [2]. > > I didn't see any issue about impersonate spark interpreter using > --proxy-user. Do you mind create one? > > Thanks, > moon > > [1] http://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/ > manual/userimpersonation.html > [2] https://github.com/apache/zeppelin/pull/1672 > > > On Tue, Nov 29, 2016 at 11:05 AM vincent gromakowski < > vincent.gromakow...@gmail.com> wrote: > >> It bas been asked many times. For now only livy can impersonate the spark >> user. For other interpreters it's not possible as I know... >> >> Le 29 nov. 2016 7:44 PM, "Ruslan Dautkhanov" <dautkha...@gmail.com> a >> écrit : >> >> What's a best way to have a multi-tennant Zeppelin notebook? >> >> It seems we currently will have to ask users to run their own Zeppelin >> instances. >> Since each user has its own authethentication & authorization based on >> user who runs >> Zeppelin server. >> >> I see best solution could be to have probably --keytab and --principal to >> be >> notebook-level parameters rather than server-level. >> >> So, for example, I can see Zeppelin multitennancy could be implemented as >> 1) users after being authenticated through LDAP, >> 2) that user gets mapped to a --keytab and --principal pair specific for >> that user >> so in-Hadoop HDFS, Hive etc access will be specific for that user >> (through HDFS ACL, and Sentry/Ranger roles). >> >> Another way: It might be easier to implement through spark-submit's >> --proxy-user >> parameter, but I am not sure details in this case. >> I know that for example Cloudera's Hue is using proxy authentication >> quite successfully >> in our organization. I.e. Hue does LDAP authentication, and then >> impersonates to that >> specific user and all requests are made on behalf of that user (although >> `hue` is actual >> OS user that runs Hue service). Other Hadoop services are just configured >> to trust >> user `hue` to impersonate to other users. >> >> Is there is a better way? >> >> Anything in Zeppelin roadmap to bring user multitennancy? >> >> >> Thank you, >> Ruslan Dautkhanov >> >>
