Configuring Impersonation in Zeppelin
Impersonation for Apache Zeppelin is enabled and configured through the user interface for each interpreter. The following provides details for performing these configuration functions.
- Per User
- Isolated
- User Impersonate
- Passwordless sudo (default one)
- SSH-keys
Passwordless sudo
For passwordless sudo use cases, interpreter processes for each user are started
using sudo
from the user that runs the notebook.
The settings for the user that runs Zeppelin Server (the cluster admin) are configured to use sudo without a password. Typically, this configuration is done by adding the following line to the sudo configuration:
mapr ALL=(ALL) NOPASSWD: ALL
Note that on a secure cluster, the interpreter process is launched from the user that runs the notebook. As such, that user needs to specify a user ticket.
SSH-key-based Impersonation
With SSH-key-based impersonation, the Zeppelin server user logs into the user shell with SSH (as opposed to executing commands with sudo). This method is more secure than using passwordless sudo configurations and can involve more configuration steps.
To enable SSH-key based impersonation:
- Create a directory for the Zeppelin SSH
key:
mkdir -p /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys
- Generate the keys (without
passphrase):
ssh-keygen -f /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key
- Copy the keys to target users with the
ssh-copy-id
(usinglocalhost
as the host):ssh-copy-id -i /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key.pub <user>@localhost
For example:
ssh-copy-id -i /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key.pub mapruser1@localhost
- Configure Zeppelin to use those keys for impersonation by setting
ZEPPELIN_IMPERSONATE_CMD
to the following value inconf/zeppelin-env.sh
:export ZEPPELIN_IMPERSONATE_CMD='ssh -i ${ZEPPELIN_HOME}/conf/sshkeys/zeppelin_key ${ZEPPELIN_IMPERSONATE_USER}@localhost '
- Restart the Zeppelin server for these configurations to take
effect:
maprcli node services -action restart -nodes $(hostname) -name zeppelin
- Optionally, enable impersonation for interpreters of your choice in the Zeppelin user interface by setting the interpreter to be instantiated. To do so, select Per User and Isolated process, and then check User Impersonate as shown below: