You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Ruslan Dautkhanov <da...@gmail.com> on 2016/11/29 18:44:29 UTC
multi-tennant Zeppelin notebook
What's a best way to have a multi-tennant Zeppelin notebook?
It seems we currently will have to ask users to run their own Zeppelin
instances.
Since each user has its own authethentication & authorization based on user
who runs
Zeppelin server.
I see best solution could be to have probably --keytab and --principal to
be
notebook-level parameters rather than server-level.
So, for example, I can see Zeppelin multitennancy could be implemented as
1) users after being authenticated through LDAP,
2) that user gets mapped to a --keytab and --principal pair specific for
that user
so in-Hadoop HDFS, Hive etc access will be specific for that user
(through HDFS ACL, and Sentry/Ranger roles).
Another way: It might be easier to implement through spark-submit's
--proxy-user
parameter, but I am not sure details in this case.
I know that for example Cloudera's Hue is using proxy authentication quite
successfully
in our organization. I.e. Hue does LDAP authentication, and then
impersonates to that
specific user and all requests are made on behalf of that user (although
`hue` is actual
OS user that runs Hue service). Other Hadoop services are just configured
to trust
user `hue` to impersonate to other users.
Is there is a better way?
Anything in Zeppelin roadmap to bring user multitennancy?
Thank you,
Ruslan Dautkhanov
Re: multi-tennant Zeppelin notebook
Posted by Ruslan Dautkhanov <da...@gmail.com>.
Thank you a lot moon!
> Interpreter Impersonation [1] is recently introduced and there is further
improvement in progress [2].
Very cool. Please consider checking
https://issues.apache.org/jira/browse/ZEPPELIN-1660 too as we
would always run into this to make Zeppelin not have any user-specific
paths.
> I didn't see any issue about impersonate spark interpreter using
--proxy-user. Do you mind create one?
Complete: https://issues.apache.org/jira/browse/ZEPPELIN-1730
Thank you.
--
Ruslan Dautkhanov
On Tue, Nov 29, 2016 at 3:30 PM, moon soo Lee <mo...@apache.org> wrote:
> Interpreter Impersonation [1] is recently introduced and there is further
> improvement in progress [2].
>
> I didn't see any issue about impersonate spark interpreter using
> --proxy-user. Do you mind create one?
>
> Thanks,
> moon
>
> [1] http://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/
> manual/userimpersonation.html
> [2] https://github.com/apache/zeppelin/pull/1672
>
>
> On Tue, Nov 29, 2016 at 11:05 AM vincent gromakowski <
> vincent.gromakowski@gmail.com> wrote:
>
>> It bas been asked many times. For now only livy can impersonate the spark
>> user. For other interpreters it's not possible as I know...
>>
>> Le 29 nov. 2016 7:44 PM, "Ruslan Dautkhanov" <da...@gmail.com> a
>> écrit :
>>
>> What's a best way to have a multi-tennant Zeppelin notebook?
>>
>> It seems we currently will have to ask users to run their own Zeppelin
>> instances.
>> Since each user has its own authethentication & authorization based on
>> user who runs
>> Zeppelin server.
>>
>> I see best solution could be to have probably --keytab and --principal to
>> be
>> notebook-level parameters rather than server-level.
>>
>> So, for example, I can see Zeppelin multitennancy could be implemented as
>> 1) users after being authenticated through LDAP,
>> 2) that user gets mapped to a --keytab and --principal pair specific for
>> that user
>> so in-Hadoop HDFS, Hive etc access will be specific for that user
>> (through HDFS ACL, and Sentry/Ranger roles).
>>
>> Another way: It might be easier to implement through spark-submit's
>> --proxy-user
>> parameter, but I am not sure details in this case.
>> I know that for example Cloudera's Hue is using proxy authentication
>> quite successfully
>> in our organization. I.e. Hue does LDAP authentication, and then
>> impersonates to that
>> specific user and all requests are made on behalf of that user (although
>> `hue` is actual
>> OS user that runs Hue service). Other Hadoop services are just configured
>> to trust
>> user `hue` to impersonate to other users.
>>
>> Is there is a better way?
>>
>> Anything in Zeppelin roadmap to bring user multitennancy?
>>
>>
>> Thank you,
>> Ruslan Dautkhanov
>>
>>
Re: multi-tennant Zeppelin notebook
Posted by vincent gromakowski <vi...@gmail.com>.
Good to know, great job
2016-11-29 23:30 GMT+01:00 moon soo Lee <mo...@apache.org>:
> Interpreter Impersonation [1] is recently introduced and there is further
> improvement in progress [2].
>
> I didn't see any issue about impersonate spark interpreter using
> --proxy-user. Do you mind create one?
>
> Thanks,
> moon
>
> [1] http://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/
> manual/userimpersonation.html
> [2] https://github.com/apache/zeppelin/pull/1672
>
>
> On Tue, Nov 29, 2016 at 11:05 AM vincent gromakowski <
> vincent.gromakowski@gmail.com> wrote:
>
>> It bas been asked many times. For now only livy can impersonate the spark
>> user. For other interpreters it's not possible as I know...
>>
>> Le 29 nov. 2016 7:44 PM, "Ruslan Dautkhanov" <da...@gmail.com> a
>> écrit :
>>
>> What's a best way to have a multi-tennant Zeppelin notebook?
>>
>> It seems we currently will have to ask users to run their own Zeppelin
>> instances.
>> Since each user has its own authethentication & authorization based on
>> user who runs
>> Zeppelin server.
>>
>> I see best solution could be to have probably --keytab and --principal to
>> be
>> notebook-level parameters rather than server-level.
>>
>> So, for example, I can see Zeppelin multitennancy could be implemented as
>> 1) users after being authenticated through LDAP,
>> 2) that user gets mapped to a --keytab and --principal pair specific for
>> that user
>> so in-Hadoop HDFS, Hive etc access will be specific for that user
>> (through HDFS ACL, and Sentry/Ranger roles).
>>
>> Another way: It might be easier to implement through spark-submit's
>> --proxy-user
>> parameter, but I am not sure details in this case.
>> I know that for example Cloudera's Hue is using proxy authentication
>> quite successfully
>> in our organization. I.e. Hue does LDAP authentication, and then
>> impersonates to that
>> specific user and all requests are made on behalf of that user (although
>> `hue` is actual
>> OS user that runs Hue service). Other Hadoop services are just configured
>> to trust
>> user `hue` to impersonate to other users.
>>
>> Is there is a better way?
>>
>> Anything in Zeppelin roadmap to bring user multitennancy?
>>
>>
>> Thank you,
>> Ruslan Dautkhanov
>>
>>
Re: multi-tennant Zeppelin notebook
Posted by moon soo Lee <mo...@apache.org>.
Interpreter Impersonation [1] is recently introduced and there is further
improvement in progress [2].
I didn't see any issue about impersonate spark interpreter using
--proxy-user. Do you mind create one?
Thanks,
moon
[1]
http://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/manual/userimpersonation.html
[2] https://github.com/apache/zeppelin/pull/1672
On Tue, Nov 29, 2016 at 11:05 AM vincent gromakowski <
vincent.gromakowski@gmail.com> wrote:
> It bas been asked many times. For now only livy can impersonate the spark
> user. For other interpreters it's not possible as I know...
>
> Le 29 nov. 2016 7:44 PM, "Ruslan Dautkhanov" <da...@gmail.com> a
> écrit :
>
> What's a best way to have a multi-tennant Zeppelin notebook?
>
> It seems we currently will have to ask users to run their own Zeppelin
> instances.
> Since each user has its own authethentication & authorization based on
> user who runs
> Zeppelin server.
>
> I see best solution could be to have probably --keytab and --principal to
> be
> notebook-level parameters rather than server-level.
>
> So, for example, I can see Zeppelin multitennancy could be implemented as
> 1) users after being authenticated through LDAP,
> 2) that user gets mapped to a --keytab and --principal pair specific for
> that user
> so in-Hadoop HDFS, Hive etc access will be specific for that user
> (through HDFS ACL, and Sentry/Ranger roles).
>
> Another way: It might be easier to implement through spark-submit's
> --proxy-user
> parameter, but I am not sure details in this case.
> I know that for example Cloudera's Hue is using proxy authentication quite
> successfully
> in our organization. I.e. Hue does LDAP authentication, and then
> impersonates to that
> specific user and all requests are made on behalf of that user (although
> `hue` is actual
> OS user that runs Hue service). Other Hadoop services are just configured
> to trust
> user `hue` to impersonate to other users.
>
> Is there is a better way?
>
> Anything in Zeppelin roadmap to bring user multitennancy?
>
>
> Thank you,
> Ruslan Dautkhanov
>
>
Re: multi-tennant Zeppelin notebook
Posted by vincent gromakowski <vi...@gmail.com>.
It bas been asked many times. For now only livy can impersonate the spark
user. For other interpreters it's not possible as I know...
Le 29 nov. 2016 7:44 PM, "Ruslan Dautkhanov" <da...@gmail.com> a
écrit :
> What's a best way to have a multi-tennant Zeppelin notebook?
>
> It seems we currently will have to ask users to run their own Zeppelin
> instances.
> Since each user has its own authethentication & authorization based on
> user who runs
> Zeppelin server.
>
> I see best solution could be to have probably --keytab and --principal to
> be
> notebook-level parameters rather than server-level.
>
> So, for example, I can see Zeppelin multitennancy could be implemented as
> 1) users after being authenticated through LDAP,
> 2) that user gets mapped to a --keytab and --principal pair specific for
> that user
> so in-Hadoop HDFS, Hive etc access will be specific for that user
> (through HDFS ACL, and Sentry/Ranger roles).
>
> Another way: It might be easier to implement through spark-submit's
> --proxy-user
> parameter, but I am not sure details in this case.
> I know that for example Cloudera's Hue is using proxy authentication quite
> successfully
> in our organization. I.e. Hue does LDAP authentication, and then
> impersonates to that
> specific user and all requests are made on behalf of that user (although
> `hue` is actual
> OS user that runs Hue service). Other Hadoop services are just configured
> to trust
> user `hue` to impersonate to other users.
>
> Is there is a better way?
>
> Anything in Zeppelin roadmap to bring user multitennancy?
>
>
> Thank you,
> Ruslan Dautkhanov
>