1) Just as an idea, you also could run separate zeppelin servers for each of users (if there are just handful of them).
2) Livy interpreter was already mentioned. 3) On a separate note, if two jiras in [1] were implemented, it would be possible to set for example keytab location in Spark interpreter settings to something like "~/.keytab". So "~" would mean actual user's specific home directory. And because of ZEPPELIN-2703's setuid() call, only properly authenticated users would be able to read their own keytab files. This would implement exactly what you're looking for without using Livy interpreter. [1] https://issues.apache.org/jira/browse/ZEPPELIN-2703 https://issues.apache.org/jira/browse/ZEPPELIN-1660 -- Ruslan Dautkhanov On Fri, Nov 24, 2017 at 7:54 PM, Keiji Yoshida <kjmrk...@gmail.com> wrote: > I'm managing Zeppelin which uses the LDAP authentication and submits Spark > applications to the Kerberized Hadoop cluster in impersonation mode via the > Livy interpreter at my company. > > Hortonworks's Zeppelin guide helped me a lot: https://docs.hortonworks. > com/HDPDocuments/HDP2/HDP-2.6.2/bk_zeppelin-component-guide/ > content/index.html > > On Sat, Nov 25, 2017 at 11:14 AM, Jeff Zhang <zjf...@gmail.com> wrote: > >> >> IIRC, spark interpreter of zeppelin doesn't support impersonation in >> kerberized cluster. You can use livy interpreter instead which support >> this. >> >> https://zeppelin.apache.org/docs/latest/interpreter/livy.htm >> l#impersonation >> >> <alexander.me...@t-systems.com>于2017年11月25日周六 上午5:56写道: >> >>> Hello users >>> >>> >>> >>> We have a cloudera cdh cluster where users are running their >>> notebooks/interpreters in impersonated mode (interpreter instantiated per >>> user in isolated process, User Impersonate checked). >>> >>> Most commonly used are the following interpreters: >>> >>> · Spark >>> >>> · Impala (jdbc interpreter group) >>> >>> · Phoenix (jdbc interpreter group) >>> >>> · HBase >>> >>> · Hive (jdbc interpreter group) >>> >>> >>> >>> We want to kerberize that cluster and I have tested user impersonation >>> and kerberos on a test cluster with zeppelin 0.7.3, user authentication in >>> ldap and authorization with kerberos… but I can’t get it to work. Not with >>> a single one of the interpretes mentioned above. >>> >>> Unfortunately I haven’t found any helpful documentation about how to >>> configure such a setup. Most how-to’s are covering kerberized cluster with >>> an interpreter specific keytab … is that really the only way? >>> >>> Or am I missing the obious? >>> >>> >>> >>> Thanks >>> >>> Alex >>> >>> >>> >>> >>> >>> >>> >> >
