[ZEPPELIN-5406] Add detailed explanation for Impersonate on LDAP & Ke…

…rberized environments ### What is this PR for? For detailed explanation for how to impersonate on LDAP & Kerberized environments. ### What type of PR is it? [Documentation] ### Todos * [ ] - Task ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-5406 ### How should this be tested? This is about documents update so that the test is not needed. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? Yes * Does this needs documentation? Yes Author: sangrho.lee <[email protected]> Closes apache#4132 from Sangrho/add_detailed_explanation_for_impersonate and squashes the following commits: ebde044 [sangrho.lee] [ZEPPELIN-5406] Add explanation for Impersonate on LDAP & Kerberized_environments
aib628 · Jun 8, 2021 · 906b911 · 906b911
1 parent 61788c4
commit 906b911
Showing 1 changed file with 59 additions and 2 deletions.
diff --git a/docs/usage/interpreter/user_impersonation.md b/docs/usage/interpreter/user_impersonation.md
@@ -2,7 +2,7 @@
 layout: page
 title: "Impersonation"
 description: "Set up zeppelin interpreter process as web front end user."
-group: usage/interpreter 
+group: usage/interpreter
 ---
 <!--
 Licensed under the Apache License, Version 2.0 (the "License");
@@ -25,6 +25,8 @@ User impersonation enables to run zeppelin interpreter process as a web frontend
 
 ## Setup
 
+### Linux User
+
 #### 1. Enable Shiro auth in `conf/shiro.ini`
 
 ```
@@ -59,7 +61,7 @@ bin/zeppelin-daemon restart
 bin\zeppelin.cmd
 ```
 
-#### 5. Configure impersonation for interpreter 
+#### 5. Configure impersonation for interpreter
 
 <div class="row">
   <div class="col-md-12" >
@@ -82,3 +84,58 @@ whoami
 ```
 
 Note that usage of "User Impersonate" option will enable Spark interpreter to use `--proxy-user` option with current user by default. If you want to disable `--proxy-user` option, then refer to `ZEPPELIN_IMPERSONATE_SPARK_PROXY_USER` variable in `conf/zeppelin-env.sh`
+
+
+### LDAP User with kerberized HDFS
+
+#### 1. Set the user(zeppelin) to be enable to set proxyuser in `core-site.xml`
+```bash
+<property>
+  <name>hadoop.proxyuser.zeppelin.groups</name>
+  <value>*</value>
+</property>
+<property>
+  <name>hadoop.proxyuser.zeppelin.users</name>
+  <value>*</value>
+</property>
+<property>
+  <name>hadoop.proxyuser.zeppelin.hosts</name>
+  <value>*</value>
+</property>
+```
+#### 2. Set the group to be enable to connect Hive metastore in 'core-site.xml'
+```bash
+<property>
+  <name>hadoop.proxyuser.hive.groups</name>
+  <value>zeppelin</value>
+</property>
+```
+
+#### 3. Enable Kerberos setting in `zeppelin-site.xml`
+```bash
+<property>
+  <name>zeppelin.server.kerberos.keytab</name>
+  <value>zeppelin.keytab</value>
+</property>
+
+<property>
+  <name>zeppelin.server.kerberos.principal</name>
+  <value>zeppelin@principal</value>
+</property>
+```
+#### 4. Restart zeppelin server.
+
+```bash
+# for OSX, linux
+bin/zeppelin-daemon restart
+
+# for windows
+bin\zeppelin.cmd
+```
+
+#### 5. Configure impersonation for interpreter
+Option
+
+The interpreter will be instantiated *Per User* in *isolated* process
+
+*User impersonate*