Configuring Impersonation in Zeppelin

Impersonation for Apache Zeppelin is enabled and configured through the user interface for each interpreter. The following provides details for performing these configuration functions.

Set the interpreter for which impersonation is to be enabled to be instantiated by selecting or checking the following from the user interface:
  • Per User
  • Isolated
  • User Impersonate

Excluding Spark and JDBC-based interpreters such as Hive and Drill, impersonation operates in the background using one of the following methods:
  • Passwordless sudo (default one)
  • SSH-keys

Passwordless sudo

For passwordless sudo use cases, interpreter processes for each user are started using sudo from the user that runs the notebook.

NOTE This operation excludes Spark and JDBC-based interpreters, such as JDBC, Hive, and Drill.

The settings for the user that runs Zeppelin Server (the cluster admin) are configured to use sudo without a password. Typically, this configuration is done by adding the following line to the sudo configuration: 

mapr ALL=(ALL) NOPASSWD: ALL
WARNING Use caution when performing sudo configurations. Passwordless sudo configurations can weaken security on your cluster.

Note that on a secure cluster, the interpreter process is launched from the user that runs the notebook. As such, that user needs to specify a user ticket.

SSH-key-based Impersonation

With SSH-key-based impersonation, the Zeppelin server user logs into the user shell with SSH (as opposed to executing commands with sudo). This method is more secure than using passwordless sudo configurations and can involve more configuration steps.

To enable SSH-key based impersonation:

  1. Create a directory for the Zeppelin SSH key:
    mkdir -p /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys
  2. Generate the keys (without passphrase):
    ssh-keygen -f /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key
  3. Copy the keys to target users with the ssh-copy-id (using localhost as the host):
    ssh-copy-id -i /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key.pub <user>@localhost

    For example:

    ssh-copy-id -i /opt/mapr/zeppelin/zeppelin-0.9.0/conf/sshkeys/zeppelin_key.pub mapruser1@localhost
  4. Configure Zeppelin to use those keys for impersonation by setting ZEPPELIN_IMPERSONATE_CMD to the following value in conf/zeppelin-env.sh:
    export ZEPPELIN_IMPERSONATE_CMD='ssh -i ${ZEPPELIN_HOME}/conf/sshkeys/zeppelin_key ${ZEPPELIN_IMPERSONATE_USER}@localhost '
  5. Restart the Zeppelin server for these configurations to take effect:
    maprcli node services -action restart -nodes $(hostname) -name zeppelin
  6. Optionally, enable impersonation for interpreters of your choice in the Zeppelin user interface by setting the interpreter to be instantiated. To do so, select Per User and Isolated process, and then check User Impersonate as shown below: