Apache Zeppelin Component Guide
Also available as:

Configuring User Impersonation for Access to Hive

User impersonation runs Hive queries under the user ID associated with the Zeppelin session.

If Kerberos is not enabled on the cluster, no additional configuration steps are required.

If Kerberos is enabled on the cluster, enable user impersonation as follows:

To configure the %jdbc interpreter, complete the following steps:

  1. In Hive configuration settings, set hive.server2.enable.doAs to true.

  2. In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.

  3. Enable authentication via the Shiro configuration: specify authorization type, keytab, and principal.

    1. Set zeppelin.jdbc.auth.type to KERBEROS.

    2. Set zeppelin.jdbc.principal to the value of the principal.

    3. Set zeppelin.jdbc.keytab.location to the keytab location.

  4. Set hive.url to the URL for HiveServer2. (On an Ambari-managed cluster you can find the URL under Hive > HiveServer2 JDBC URL.) Here is the general format:


    The JDBC interpreter adds the user ID as a proxy user, and sends the string to HiveServer2; for example:


For information about authenticating Zeppelin users through Active Directory or LDAP, see Configuring Zeppelin Security.