I think Vincent's option 1 is the way to go at this stage. Basically, in a multi-users environment, every users should have their own storage and processing. So far Zeppelin has not seen to be able to isolate users totally.
My question is, 1. I am using windows for client which means Zeppelin is installed on windows. Is their any downside or limitation? 2. Even installed on individual desktop, I still like to have authentication for login as users may access their desktop remotely from browser. Any idea how to set this up? 3. I am using MapR cluster. Does anyone have similar experiences on how to config secure cluster with zeppelin in windows? Also is it possible to set up an admin user for every desktop so that only I can change the configuration? Thanks, On 22 September 2016 at 18:16, vincent gromakowski < vincent.gromakow...@gmail.com> wrote: > It seems credentials are saved per user as described in Shiro, can you > confirm ? I don't find anything in credential API that links the datasource > user to zeppelin user... Or username on datasource should be the same as > Zeppelin username ? > > Can an admin user set credentials for other users ? > > 2016-09-22 10:12 GMT+02:00 vincent gromakowski < > vincent.gromakow...@gmail.com>: > >> Hi, >> From my point of view you have 3 options: >> >> 1. Use a dedicated zeppelin instance per user. Solution I currently use. >> Mesos/marathon launch an instance by user with it's linux UID. A service >> discovery is routing each user based on HTTPS basic auth to his instance. >> Because the configuration file is dedicated per user, it's easy to setup >> credentials for backend. Because the UID is also setup, spark jobs are >> running under each user permissions. This way is totally secure, but no >> possible sharing between users except sending notebooks by mail or git repo >> >> 2. Use a shared instance and configure Shiro permissions which allow to >> manage multi tenancy in Zeppelin (notebooks access) but not in backend as >> all users notebooks will run under the same UID and have the same >> credentials for accessing backend >> >> 3. Use a shared instance and a backend that allows impersonation like >> Livy server. Livy server will execute Spark sessions per user. What is >> unclear is how to deal with backend credentials ? How to configure multiple >> Cassandra credentials and attach each one to a user ? Same thing for Spark >> Livy, How can we configure each Livy session with users cassandra >> credentials ? And finally how credentials are secured in Zeppelin ? >> >> 2016-09-22 8:59 GMT+02:00 York Huang <yorkhuang.d...@gmail.com>: >> >>> Hi DuyHai, >>> >>> I would like to know how to set up security (authentication and >>> authorization), the architecture, etc. >>> >>> The users are using windows. I am ok to set up individual zeppelin on >>> their desktop or a central zeppelin server. But I want to know the >>> complexity, limitation, details, etc. >>> >>> Many thanks! >>> >>> On 16 September 2016 at 03:51, DuyHai Doan <doanduy...@gmail.com> wrote: >>> >>>> Right now, you have some options to isolate the notes. Look at the doc >>>> about interpreter binding mode here : http://zeppelin.apache.org/d >>>> ocs/0.7.0-SNAPSHOT/manual/interpreters.html#interpreter-binding-mode >>>> >>>> >>>> >>>> On Thu, Sep 15, 2016 at 7:15 AM, York Huang <yorkhuang.d...@gmail.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I want to set up a environment for a group of users so that they can >>>>> access zeppelin. Each of them should have their own space, should not >>>>> interfere each other. >>>>> >>>>> I install zeppelin on the MapR sandbox. If I access it from different >>>>> computers, even I access different notebooks, the data are still shared. >>>>> >>>>> What I want is the data should be totally seperate between users and >>>>> notebooks. >>>>> >>>>> How do I set it up like this? >>>>> >>>>> Thanks, >>>>> >>>>> York Huang >>>>> >>>> >>>> >>> >> >
