Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zeppelin Livy Interpreter : 401 User not authorised to use Livy.

Highlighted

Zeppelin Livy Interpreter : 401 User not authorised to use Livy.

On HDP-2.6.2, I am trying to run start a basic Livy Interpreter. I executed the following:

%livy.spark
sc.version

I get the following error:

org.springframework.web.client.HttpClientErrorException: 401 User not authorised to use Livy. at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91) at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:667) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:620) at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202) at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67) at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:187) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:580) at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:498) at org.apache.zeppelin.livy.BaseLivyInterpreter.callRestAPI(BaseLivyInterpreter.java:501) at org.apache.zeppelin.livy.BaseLivyInterpreter.createSession(BaseLivyInterpreter.java:212) at org.apache.zeppelin.livy.BaseLivyInterpreter.initLivySession(BaseLivyInterpreter.java:119) at org.apache.zeppelin.livy.BaseLivyInterpreter.open(BaseLivyInterpreter.java:101) at org.apache.zeppelin.interpreter.LazyOpenInterpreter.open(LazyOpenInterpreter.java:69) at org.apache.zeppelin.interpreter.remote.RemoteInterpreterServer$InterpretJob.jobRun(RemoteInterpreterServer.java:493) at org.apache.zeppelin.scheduler.Job.run(Job.java:175) at org.apache.zeppelin.scheduler.FIFOScheduler$1.run(FIFOScheduler.java:139) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.apache.zeppelin.livy.BaseLivyInterpreter.callRestAPI(BaseLivyInterpreter.java:520) at org.apache.zeppelin.livy.BaseLivyInterpreter.createSession(BaseLivyInterpreter.java:212) at org.apache.zeppelin.livy.BaseLivyInterpreter.initLivySession(BaseLivyInterpreter.java:119) at org.apache.zeppelin.livy.BaseLivyInterpreter.open(BaseLivyInterpreter.java:101) at org.apache.zeppelin.interpreter.LazyOpenInterpreter.open(LazyOpenInterpreter.java:69) at org.apache.zeppelin.interpreter.remote.RemoteInterpreterServer$InterpretJob.jobRun(RemoteInterpreterServer.java:493) at org.apache.zeppelin.scheduler.Job.run(Job.java:175) at org.apache.zeppelin.scheduler.FIFOScheduler$1.run(FIFOScheduler.java:139) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

In core-site.xml I have:

hadoop.proxyuser.livy.groups = *

hadoop.proxyuser.livy.hosts = *

Here are the Livy Interpreter properties

livy %livy, %livy.sql, %livy.pyspark, %livy.pyspark3, %livy.sparkr

Properties
namevalue
livy.impersonation.enabledtrue
livy.proxy.user.propertyproxyUser
livy.spark.driver.cores
livy.spark.driver.memory
livy.spark.dynamicAllocation.cachedExecutorIdleTimeout
livy.spark.dynamicAllocation.enabled
livy.spark.dynamicAllocation.initialExecutors
livy.spark.dynamicAllocation.maxExecutors
livy.spark.dynamicAllocation.minExecutors
livy.spark.executor.cores
livy.spark.executor.instances
livy.spark.executor.memory
livy.spark.jars.packages
livy.superuserszeppelin-dinesh
proxyUser${loggedInUser}
zeppelin.interpreter.localRepo/usr/hdp/current/zeppelin-server/local-repo/2CVTNVW1S
zeppelin.interpreter.output.limit
zeppelin.livy.concurrentSQLfalse
zeppelin.livy.displayAppInfotrue
zeppelin.livy.keytab/etc/security/keytabs/zeppelin.server.kerberos.keytab
zeppelin.livy.principalzeppelin-dinesh@DOMAIN
zeppelin.livy.pull_status.interval.millis
zeppelin.livy.session.create_timeout
zeppelin.livy.spark.sql.field.truncatetrue
zeppelin.livy.spark.sql.maxResult
zeppelin.livy.urlhttp://LivyHost:8998

Custom livy-env is attached.

P.S. This is a kerberized cluster with Zeppelin Authentication and Livy Impersonation enabled. I have also been able to use other interpreters before successfully.


screen-shot-2017-10-19-at-54334-pm.png
3 REPLIES 3

Re: Zeppelin Livy Interpreter : 401 User not authorised to use Livy.

Expert Contributor

Did you ever figure this out? I'm running into the same issue.

Re: Zeppelin Livy Interpreter : 401 User not authorised to use Livy.

Mentor

@Dinesh Chitlangia

Livy requires that this service principal is configured with a couple of different parameters, namely:

livy.server.launch.kerberos.[principal|keytab] 
livy.server.auth.kerberos.[principal|keytab] 

Also livy.server.auth.type needs to be set to kerberos.

livy.impersonation.enabled = true
livy.server.auth.type = kerberos
livy.server.launch.kerberos.principal = livy/node2.{fqdn}@TEX.COM
livy.server.launch.kerberos.keytab = /etc/security/keytabs/livy.service.keytab
livy.server.auth.kerberos.principal = HTTP/node2.{fqdn}@TEX.COM
livy.server.auth.kerberos.keytab = /etc/security/keytabs/spnego.service.keytab 

This livy.server.auth.type will also set authentication for the Livy server itself.

To configure Zeppelin with authentication for Livy you need to set the following in the interpreter settings:

"zeppelin.livy.principal": "zeppelin/node2.{fqdn}@TEX.COM", 
"zeppelin.livy.keytab": "/etc/security/keytabs/zeppelin.service.keytab" 

The launch parameters are used during startup:

export SPARK_HOME=/usr/hdp/current/spark-client 
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk 
export PATH=/usr/lib/jvm/java-1.8.0-openjdk/bin:$PATH 
export HADOOP_CONF_DIR=/etc/hadoop/conf 
export LIVY_SERVER_JAVA_OPTS="-Xmx2g" 

Kinit is not required with 0.3 of Livy, which is the version being used here.

With livy 0.2 it is required to kinit the livy user before starting the web-service:

$ su livy 
$ kinit -kt /etc/security/keytabs/livy.service.keytab livy/node2.{fqdn}@TEX.COM 
$ bin/livy-server start 

Authorization

With authentication enabled setting authorization will likely be required. For this Livy provides access control settings to control which users have access to the resources:

livy.server.access_control.enabled = true 
livy.server.access_control.users = livy,zeppelin 

Further, for services like Zepplin impersonation settings are required. In order for the zeppelin user to be able to impersonate other users, it requires to be a superuser.

livy.superusers=zeppelin

Hope that helps

Re: Zeppelin Livy Interpreter : 401 User not authorised to use Livy.

New Contributor

@ Dinesh Chitlangia

I have the same problem as you, did you find a solution please ?