Unfortunately the Ambari users only apply to what users can do through the Ambari UI, not through the Yarn or Spark UI. I think I've come up with an acceptable solution:
1) Create a new 'zeppelin' YARN queue, with all users as administrator and the 'zeppelin' user allowed to submit (altho actually all users seem to be able to submit)
2) Configure zeppelin to submit its applications to the YARN zeppelin queue (spark.yarn.queue)
3) Add users to spark.admin.acls and spark.history.ui.admin.acls
Actually looks like #3 overrides #1&2 so that any users can admin any spark jobs (whether submitted via Zeppelin or otherwise), but that will have to do for now.