Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Controlling Access to HDFS data through zeppelin

Controlling Access to HDFS data through zeppelin

New Contributor

Hi,

I am using HDP 2.5.I want to have access control mechanism (for different files on HDFS) for different users through zeppelin. As Zeppelin process runs with "zeppelin" user, how can I create ranger policies for different users?

I have tried creating ranger policy for "zeppelin" user which works fine but I am not clear on how to create access control for different zeppelin users?

I triggered spark jobs which are started by "zeppelin" user, so again access to HDFS files is restricted to "zeppelin" user. I want to enforce this to different users logging in to same zeppelin instance.

Any help will be appreciated.

4 REPLIES 4
Highlighted

Re: Controlling Access to HDFS data through zeppelin

Expert Contributor

First authentication via AD/LDAP needs to be enabled in Zeppelin. You can search HCC for articles showing how to set that up.

Next, for Spark jobs you have to enable and configure Livy component in the Spark service via Ambari. Then configure and enable the Livy interpreter in Zeppelin. After that authenticated users would runs their spark code in Zeppelin via the %livy.sql or %livy.spark interpreters. Livy interpreters support impersonation for spark jobs for a multi-user Zeppelin environment via the Livy service. /cc @vshukla in case we already have a definitive HCC article for this scenario.

Re: Controlling Access to HDFS data through zeppelin

@Rishabh Bhardwaj Here is what needs to be done to accomplish your use case
  1. Enable Zeppelin Authentication (there are many archicles on HCC, see https://community.hortonworks.com/content/kbentry/75449/zeppelin-ldap-confiuration.html)
  2. Enable Zeppelin to use Livy interpreter for submitting Spark jobs (With Livy the user identity propagates, read from Grant Livy ability to impersonate at https://community.hortonworks.com/content/kbentry/65449/ow-to-setup-a-multi-user-active-directory-ba...
  3. Follow https://community.hortonworks.com/articles/66570/dont-publish-yet-securing-spark-with-ranger-using.h... for Ranger integration

Let us know if you run into any issues.

cc @Bikas @azeltov

Re: Controlling Access to HDFS data through zeppelin

New Contributor

I have tried this and zeppelin started the livy-session with the logged in user. My question is for all the interpreters (I used spark as an example in the question description).I saw some posts covering spark and hive use case for the same.

Re: Controlling Access to HDFS data through zeppelin

Only livy and jdbc interpreters will allow user impersonation at this point.

Don't have an account?
Coming from Hortonworks? Activate your account here