Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zeppelin user impersonation doesn't work

Zeppelin user impersonation doesn't work

Rising Star

Hi, I did those steps for Zeppelin user impersonation, but It doesn't work, am I missing something?

Zeppelin has LDAP and kerberos integration. Configurations are done in shiro configurations and authentication works.

1- sudo configuration for zeppelin user is done in /etc/sudoers

zeppelin ALL=(ALL) NOPASSWD: ALL

2-Write permission to other users to zeppelin log folder is ok, it is also configured in /var/lib/ambari-server/resources/common-services/ZEPPELIN/0.6.0.2.5/package/scripts/master.py

3-Those lines are added to core-site.xml in HDFS.

hadoop.proxyuser.zeppelin.hosts=* 
hadoop.procyuser.zeppelin.goups=* 

4-advanced-zeppelin-env configured, below lines added.

ZEPPELIN_IMPERSONATE_USER=echo ${ZEPPELIN_IMPERSONATE_USER} | cut -d "@" -f1 
ZEPPELIN_IMPERSONATE_CMD='sudo -H -u zeppelin bash -c' 

5-Any interpreter's configuration is changed as "per user, isolated" and user impersonate is selected(I tried for shell and spark). After restarting zeppelin I am having attached errors.

71480-39388239-333197ca-4a87-11e8-87d2-b868b9c067ea.png

71479-screen-shot-2018-04-29-at-014348.png

6 REPLIES 6
Highlighted

Re: Zeppelin user impersonation doesn't work

Mentor

@Mustafa Kemal MAYUK

This is what you need to do this is an HCC resource.

How to enable user impersonation for SH interpreter in Zeppelin

Hope that helps

Highlighted

Re: Zeppelin user impersonation doesn't work

Rising Star

Thanks @Geoffrey Shelton Okot

But this solution is for local OS users, I need something for LDAP users. Also I need something for all interpreters, my problem is not shell interpreter specific.

Highlighted

Re: Zeppelin user impersonation doesn't work

Mentor

@Mustafa Kemal MAYUK

Can you share your shiro.ini after scrambling sensitive info?

Highlighted

Re: Zeppelin user impersonation doesn't work

Rising Star

Hi, here it is;


[users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections admin = admin, admin user1 = user1, role1, role2 user2 = user2, role3 user3 = user3, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] ### A sample for configuring Active Directory Realm #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm #activeDirectoryRealm.systemUsername = userNameA #use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html #activeDirectoryRealm.systemPassword = passwordA #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM #activeDirectoryRealm.url = ldap://ldap.test.com:389 #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" #activeDirectoryRealm.authorizationCachingEnabled = false ### A sample for configuring LDAP Directory Realm ldapRealm = org.apache.zeppelin.realm.LdapRealm ## search base for ldap groups (only relevant for LdapGroupRealm): ldapRealm.contextFactory.environment[ldap.searchBase] = mysearchbase ldapRealm.contextFactory.url = myldapserver ldapRealm.userDnTemplate = myuserdntemplae ldapRealm.contextFactory.authenticationMechanism = SIMPLE ldapRealm.authorizationEnabled=true ldapRealm.userSearchBase=myusersearchbase ldapRealm.groupSearchBase=mygroupsearchbase ldapRealm.userObjectClass=inetorgperson ldapRealm.groupObjectClass=groupofnames ldapRealm.memberAttribute=member securityManager.realms = $ldapRealm ldapRealm.rolesByGroup = "admingroup": "admin" ### A sample PAM configuration #pamRealm=org.apache.zeppelin.realm.PamRealm #pamRealm.service=sshd sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager ### If caching of user is required then uncomment below lines cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] role1 = * role2 = * role3 = * admin = * [urls] # This section is used for url-based security. # You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. # anon means the access is anonymous. # authc means Form based Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon /** = authc #/api/interpreter/** = authc, roles[admin] #/api/configurations/** = authc, roles[admin] #/api/credential/** = authc, roles[admin] #/** = anon
Highlighted

Re: Zeppelin user impersonation doesn't work

Mentor

@Mustafa Kemal MAYUK

I have seen some variations which ain't correct, I would like you to compare with this HCC doc one thing already in [URLs] part the /** = authc should be the last entry and a couple others !!
Please revert !!

Highlighted

Re: Zeppelin user impersonation doesn't work

Rising Star

Hi @Geoffrey Shelton Okot, I decided to test with local user. I added also a principle to kerberos with same name. I did configurations in url that you mentioned before.

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
admin = admin, admin
zptest = password, role1
user1 = user1, role1, role2
user2 = user2, role3
user3 = user3, role2
# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = userNameA
#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
#activeDirectoryRealm.systemPassword = passwordA
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
#activeDirectoryRealm.url = ldap://ldap.test.com:389
#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
#activeDirectoryRealm.authorizationCachingEnabled = false
### A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
role1 = *
role2 = *
role3 = *
admin = *
[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
#/api/interpreter/** = authc, roles[admin]
#/api/configurations/** = authc, roles[admin]
#/api/credential/** = authc, roles[admin]
#/** = anon
/** = authc

I am logging in to Zeppelin with zptest user and "whoami" command displays "zeppelin". Impersonation part at advanced env is here;

#--- FOR IMPERSONATION -- START ----
ZEPPELIN_IMPERSONATE_USER=`echo ${ZEPPELIN_IMPERSONATE_USER} | cut -d "@" -f1`
export ZEPPELIN_IMPERSONATE_CMD='sudo -H -u zeppelin bash -c'
export SPARK_HOME=/usr/hdp/current/spark2-client/
export PYTHONPATH=$SPARK_HOME/python/:$PYTHONPATH
export PYTHONPATH=$SPARK_HOME/python/lib/py4j-0.9-src.zip:$PYTHONPATH # This is version based config and needs to be changed based on the spark version
export SPARK_YARN_USER_ENV="PYTHONPATH=${PYTHONPATH}"
#--- FOR IMPERSONATION -- END ----
Don't have an account?
Coming from Hortonworks? Activate your account here