Configuring Impersonation in Zeppelin

Impersonation for Apache Zeppelin is enabled and configured through the user interface for each interpreter. The following provides details for performing these configuration functions.

Set the interpreter for which impersonation is to be enabled to be instantiated by selecting or checking the following from the user interface:

Per User
Isolated
User Impersonate

Excluding Spark and JDBC-based interpreters such as Hive and Drill, impersonation operates in the background using one of the following methods:

Passwordless sudo (default one)
SSH-keys

Passwordless sudo

For passwordless sudo use cases, interpreter processes for each user are started using sudo from the user that runs the notebook.

NOTE

This operation excludes Spark and JDBC-based interpreters, such as JDBC, Hive, and Drill.

The settings for the user that runs Zeppelin Server (the cluster admin) are configured to use sudo without a password. Typically, this configuration is done by adding the following line to the sudo configuration:

mapr ALL=(ALL) NOPASSWD: ALL

WARNING

Use caution when performing sudo configurations. Passwordless sudo configurations can weaken security on your cluster.

Note that on a secure cluster, the interpreter process is launched from the user that runs the notebook. As such, that user needs to specify a user ticket.

SSH-key-based Impersonation

With SSH-key-based impersonation, the Zeppelin server user logs into the user shell with SSH (as opposed to executing commands with sudo). This method is more secure than using passwordless sudo configurations and can involve more configuration steps.

To enable SSH-key based impersonation:

Create a directory for the Zeppelin SSH key:
```
mkdir -p /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys
```

Generate the keys (without passphrase):

ssh-keygen -f /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key

Copy the keys to target users with the ssh-copy-id (using localhost as the host):

ssh-copy-id -i /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key.pub <user>@localhost

For example:

ssh-copy-id -i /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key.pub mapruser1@localhost

Configure Zeppelin to use those keys for impersonation by setting ZEPPELIN_IMPERSONATE_CMD to the following value in conf/zeppelin-env.sh:
```
export ZEPPELIN_IMPERSONATE_CMD='ssh -i ${ZEPPELIN_HOME}/conf/sshkeys/zeppelin_key ${ZEPPELIN_IMPERSONATE_USER}@localhost '
```
Restart the Zeppelin server for these configurations to take effect:
```
maprcli node services -action restart -nodes $(hostname) -name zeppelin
```
Optionally, enable impersonation for interpreters of your choice in the Zeppelin user interface by setting the interpreter to be instantiated. To do so, select Per User and Isolated process, and then check User Impersonate as shown below:

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0