Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Livy Impersonation in Zeppelin HDP2.6

Livy Impersonation in Zeppelin HDP2.6

New Contributor

@Geoffrey Shelton Okot

Hi Sir,

I have HDP2.6 cluster

Kerberos Enabled

Zeppelin is integrated with LDAP for auth

Proxy setting is set correctly

Problem statement is _ Livy user impersonation is not working

Trying to run from zeppelin

------------

%livy2.spark

sc.version

----------

Error :

javax.security.auth.login.LoginException: Unable to obtain password from user



at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:185)

at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:580)

at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:498)
example.com
10 REPLIES 10

Re: Livy Impersonation in Zeppelin HDP2.6

Mentor

@sameer dalai

That's a typical Kerberos issue!

Is the shiro.ini updated with the LDAP configuration?

Can you share your redacted

krb5.conf 
kadm5.acl 
kdc.conf

Which user are you trying the run as?

Please revert

Re: Livy Impersonation in Zeppelin HDP2.6

New Contributor

@Geoffrey Shelton Okot

This is my interperter setting

I am login as a user sameer.dalai authanticated by LDAP from in zeppelin

No sssd in linux host

custom-core site is all *

Livy2 user impersonation is enabled


Note :- I am now getting an error "


%livy2.pyspark

#

org.apache.zeppelin.livy.LivyException: {"msg":"User 'zeppelin-goa_datalake_1' not allowed to impersonate 'Some(sameer.dalai)'."}

org.springframework.web.client.HttpClientErrorException: 403 Forbidden

at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)

at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:667)

at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:620)

at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202)

at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67)

at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:360)


108482-1556921054525.png

Re: Livy Impersonation in Zeppelin HDP2.6

New Contributor

@Geoffrey Shelton Okot

I am login as my user(sameer.dalai) in zeppelin which is authanticted via LDAP to run livy2.pyspark

Please find my krb5.conf


108438-1557172951952.png

Shiri ini file


108493-1557172971166.png

Re: Livy Impersonation in Zeppelin HDP2.6

Mentor

@sameer dalai

No files attached

Re: Livy Impersonation in Zeppelin HDP2.6

New Contributor

I had pasted the shiro.ini file , let me know if you need the complete file and any log file as well,I am happy to provide

Re: Livy Impersonation in Zeppelin HDP2.6

New Contributor

@Geoffrey Shelton Okot sir , I dont find the below files in my cluster

  1. kadm5.acl
  2. kdc.conf

Thanks for your quick reply sir

Regards


Re: Livy Impersonation in Zeppelin HDP2.6

New Contributor

@Geoffrey Shelton Okot


Just for your reference, If i set" livy.impersonation.enabled " as false eveything is working with kerberos.

But i want to enable Livy impersonation as true so the user from my organization can use zeppelin and knime to submit spark jobs by logging to zeppelin with their own domain credential and avoid manage user access indivusually.


my version details are :

HDP2.6

Kerberos enable through AD

spark 2.3.0 , Zeppelin 0.7.3

Zeppelin is enable with LDAP config for user auth

Knox is enables

Custom-core.site file is updated with *

Appreciate if some one help to fix Livy user impersonation issue , below is the error in zeppelin

108428-1557173570966.png

Re: Livy Impersonation in Zeppelin HDP2.6

Mentor

@sameer dalai

Your Shiro.ini is not even an image but a thumbnail. Depending on your OS the location of the below files will vary a bit

krb5.conf 
kadm5.acl 
kdc.conf

Please attach the Shiro as pdf



Re: Livy Impersonation in Zeppelin HDP2.6

New Contributor