I am using Zeppelin 0.7.1 configured AD authentication and HDP 2.5 with Kerberos. When I simply run "show databases" as "user1" I got error: "Permission denied: user [user1@MYDOMAIN.COM] does not have [USE] [...]". On my other cluster with the same configuration "user1" is treated as "user1" (without @MYDOMAIN.COM) so my policies are working good. Any ideas what could be the reason?
I have also noticed that hive interpreter is logging to separate log file on working cluster, while the cluster with not working Hive interpreter is logging to main Zeppelin log file (where authentication is logged etc.).
It is likely you are logging into Zeppelin as user1@MYDOMAIN.COM but the access to databases are for user1. If that is the case you would need to reconfigure your shiro_ini to enable you getting authenticated to Zeppelin as user1 WITHOUT the domain. The following property would do that for you:
activeDirectoryRealm.principalSuffix = @mydomain.com
I hope this helps.
Thank you for answer. Exactly, I am logging in as user1@MYDOMAIN.COM. However when I set
activeDirectoryRealm.principalSuffix = @MYDOMAIN.COM
I cant log in using user1, or even user1@MYDOMAIN.COM (ldap error 49, 52e). When I delete above parameter I can log in using @MYDOMAIN.COM upper, lower or mixed cases.