Support Questions

Find answers, ask questions, and share your expertise

Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-

New Contributor

I have a kerberised HDP cluster with LDAP. I've configured an edge node with zeppelin, Spark 1, Spark2, Livy and Livy2 to test the user impersonation feature in Zeppelin noteboks. The %livy interpreter works as expected, running jobs on the cluster as the user who logs into zeppelin (which is configured for LDAP & Kerberos). The %sh interpreter also works, so I have user level access to the HDFS cluster, and running a spark-shell as the same user also works fine. These both use the user's kerberos ticket.

However, when I run a %livy2 interpreter e.g.


I keep getting the same error (user1 is the login for zeppelin, zeppelin-quantexa is the livy principal):

org.apache.zeppelin.livy.LivyException: {"msg":"User 'zeppelin-quantexa' not allowed to impersonate 'Some(user1)'."}
org.springframework.web.client.HttpClientErrorException: 403 Forbidden
	at org.springframework.web.client.DefaultResponseErrorHandler.handleError(
	at org.springframework.web.client.RestTemplate.handleResponse(
	at org.springframework.web.client.RestTemplate.doExecute(
	at Method)

As far as I can tell, the config for livy2 matches livy. I can't find anything in the zeppelin or livy logs that helps. Am I missing a setting that will allow the impersonation ?




@Geoff Foote

What values do you have for the below parameter

HDFS---->Configs-->Advanced-->Custom core-site


You should have ( * )for both

@ Geoff Foote , @sameer dalai : Can you share Livy interpreter settings screenshot and zeppelin shiro.ini file

provide the value of below parameter. It should be set to true.



New Contributor

@Geoffrey Shelton Okot

Unfortunately they are both set to * already

It seems really odd that %livy works, but %livy2 doesn't. Do they not share the same settings ?

@Geoff Foote @Geoffrey Shelton Okot

Any update on this issue yet, I am having the same issue


@sameer dalai

Can you open a new thread and tag me this an old case that member won't be looking at by opening a new one you will get more responses even if I don't respond immediately.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.