It bas been asked many times. For now only livy can impersonate the spark user. For other interpreters it's not possible as I know...
Le 29 nov. 2016 7:44 PM, "Ruslan Dautkhanov" <dautkha...@gmail.com> a écrit : > What's a best way to have a multi-tennant Zeppelin notebook? > > It seems we currently will have to ask users to run their own Zeppelin > instances. > Since each user has its own authethentication & authorization based on > user who runs > Zeppelin server. > > I see best solution could be to have probably --keytab and --principal to > be > notebook-level parameters rather than server-level. > > So, for example, I can see Zeppelin multitennancy could be implemented as > 1) users after being authenticated through LDAP, > 2) that user gets mapped to a --keytab and --principal pair specific for > that user > so in-Hadoop HDFS, Hive etc access will be specific for that user > (through HDFS ACL, and Sentry/Ranger roles). > > Another way: It might be easier to implement through spark-submit's > --proxy-user > parameter, but I am not sure details in this case. > I know that for example Cloudera's Hue is using proxy authentication quite > successfully > in our organization. I.e. Hue does LDAP authentication, and then > impersonates to that > specific user and all requests are made on behalf of that user (although > `hue` is actual > OS user that runs Hue service). Other Hadoop services are just configured > to trust > user `hue` to impersonate to other users. > > Is there is a better way? > > Anything in Zeppelin roadmap to bring user multitennancy? > > > Thank you, > Ruslan Dautkhanov >
