Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-2.6.1.0I

Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-2.6.1.0I

New Contributor

I have a kerberised HDP cluster with LDAP. I've configured an edge node with zeppelin, Spark 1, Spark2, Livy and Livy2 to test the user impersonation feature in Zeppelin noteboks. The %livy interpreter works as expected, running jobs on the cluster as the user who logs into zeppelin (which is configured for LDAP & Kerberos). The %sh interpreter also works, so I have user level access to the HDFS cluster, and running a spark-shell as the same user also works fine. These both use the user's kerberos ticket.

However, when I run a %livy2 interpreter e.g.

%livy2
println(scala.util.Properties.versionString)

I keep getting the same error (user1 is the login for zeppelin, zeppelin-quantexa is the livy principal):

org.apache.zeppelin.livy.LivyException: {"msg":"User 'zeppelin-quantexa' not allowed to impersonate 'Some(user1)'."}
org.springframework.web.client.HttpClientErrorException: 403 Forbidden
	at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
	at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:667)
	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:620)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67)
	at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)

As far as I can tell, the config for livy2 matches livy. I can't find anything in the zeppelin or livy logs that helps. Am I missing a setting that will allow the impersonation ?

Thanks.

5 REPLIES 5

Re: Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-2.6.1.0I

Mentor

@Geoff Foote

What values do you have for the below parameter

HDFS---->Configs-->Advanced-->Custom core-site

hadoop.proxyuser.zeppelin.groups    
hadoop.proxyuser.zeppelin.hosts 

You should have ( * )for both

Re: Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-2.6.1.0I

New Contributor

@ Geoff Foote , @sameer dalai : Can you share Livy interpreter settings screenshot and zeppelin shiro.ini file

provide the value of below parameter. It should be set to true.

livy.impersonation.enabled

-Shashi






Re: Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-2.6.1.0I

New Contributor

@Geoffrey Shelton Okot

Unfortunately they are both set to * already

It seems really odd that %livy works, but %livy2 doesn't. Do they not share the same settings ?

Re: Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-2.6.1.0I

New Contributor

@Geoff Foote @Geoffrey Shelton Okot

Any update on this issue yet, I am having the same issue




Re: Impersonation fails with Zeppelin and Livy2 on Kerberised HDP-2.6.1.0I

Mentor

@sameer dalai

Can you open a new thread and tag me this an old case that member won't be looking at by opening a new one you will get more responses even if I don't respond immediately.

Don't have an account?
Coming from Hortonworks? Activate your account here