Support Questions
Find answers, ask questions, and share your expertise

Zeppelin Interpreter User Impersonation property not functionining

Zeppelin Interpreter User Impersonation property not functionining

Explorer

Created %hive interpreter with user impersonation enabled and submitting queries getting this error:

user [anonymous] does not have [USE] privilege on [null]

Created %jdbc(hive) and submitting jobs, the user is able to access everything as the query is running with hive as a user(Ranger permissions set for hive to access everything)

Please help me configure this so that the user logged in is able to access only those tables which it has access for in Ranger policies.

10 REPLIES 10

Re: Zeppelin Interpreter User Impersonation property not functionining

Explorer

@Jay Kumar SenSharma if you could help me on this?

Re: Zeppelin Interpreter User Impersonation property not functionining

Super Mentor

@Neha Nirmal

At this point i am not sure about how to fix this. But i will do some research on this.

I will check one article which seems to be good to start with: https://community.hortonworks.com/articles/93179/secured-access-to-hive-using-zeppelins-jdbchive-in....

Re: Zeppelin Interpreter User Impersonation property not functionining

@Neha Nirmal,

Can you check if you have set "hive.server2.enable.doAs" to true. This will make sure that queries are executed as end user instead of hive user. Make sure that the user running the query has proper permissions to hive warehouse directory ( /apps/hive)

Assign the user access to these HDFS directories in ranger.

Also, in the jdbc interpreter remove these params if present (hive.user, hive.proxy.user.property).

Note: I did not try out your use case personally. It's worth to give it a try

Thanks,

Aditya

Re: Zeppelin Interpreter User Impersonation property not functionining

Explorer

For hive.server2.enable.doAs, hive-interactive site has "Run as end user instead of Hive user=true"

When running the queries from beeline for the same user it works fine so permissions are correct.

Jdbc interpreter does not have any of the above parameter. Although tried with these as well.

It keeps taking user as anonymous if no default user is specified. And anonymous has no access.

In Zeppelin config: "zeppelin.anonymous.allowed=false" is also set.

Re: Zeppelin Interpreter User Impersonation property not functionining

@Neha Nirmal,

Are you using hive interactive url or hive server2 url from zeppelin. Please check hive.url param in the interpreter settings.

If you are using hive server2 , then you should set "Run as end user instead of Hive user=true" for hiveserver2 and not in hive-interactive.

Hive -> Config -> Settings -> Security .

Re: Zeppelin Interpreter User Impersonation property not functionining

Explorer

@Aditya Sirna, This property is set true for both in security part and in hive interactive as well.

In hive-interactive this is set as default setting.

Although using hiveserver2.

Re: Zeppelin Interpreter User Impersonation property not functionining

Explorer

@Aditya Sirna , @Geoffrey Shelton Okot

Should this line be commented or not?

#/api/version = anon

What is this exactly doing?

The problem is that the requests are getting submitted as anonymous irrespective to keeping the user impersonation option checked or unchecked. It's an Access Control Exception.

Please suggest.

Re: Zeppelin Interpreter User Impersonation property not functionining

Explorer

Details of siro_ini_content

[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
#/api/version = anon
#/api/interpreter/** = authc, roles[admin]
#/api/configurations/** = authc, roles[admin]
#/api/credential/** = authc, roles[admin]
#/** = anon
#/** = authc
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc

Re: Zeppelin Interpreter User Impersonation property not functionining

Mentor

@Neha Nirmal

To disable anonymous access to Zeppelin, add a comment character (#) at the start of the line containing /** = anon.

Here is an example:

[urls]
#/api/version = anon
#/** = anon
/** = authc