Apache Zeppelin Component Guide
Also available as:
PDF

Configuring User Impersonation for Access to Hive

User impersonation runs Hive queries under the user ID associated with the Zeppelin session.

If Kerberos is not enabled on the cluster, complete the following steps:

  1. In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.

  2. Click edit, then add a hive.proxy.user.property property and set its value to hive.server2.proxy.user.

  3. Click Save, then click restart to restart the JDBC interpreter.

If Kerberos is enabled on the cluster, enable user impersonation as follows:

To configure the %jdbc interpreter, complete the following steps:

  1. In Hive configuration settings, set hive.server2.enable.doAs to true.

  2. In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.

  3. Enable authentication via the Shiro configuration: specify authorization type, keytab, and principal.

    1. Set zeppelin.jdbc.auth.type to KERBEROS.

    2. Set zeppelin.jdbc.principal to the value of the principal.

    3. Set zeppelin.jdbc.keytab.location to the keytab location.

  4. Set hive.url to the URL for HiveServer2. (On an Ambari-managed cluster you can find the URL under Hive > HiveServer2 JDBC URL.) Here is the general format:

    jdbc:hive2://HiveHost:10001/default;principal=hive/_HOST@HOST1.COM;hive.server2.proxy.user=testuser

    The JDBC interpreter adds the user ID as a proxy user, and sends the string to HiveServer2; for example:

    jdbc:hive2://dkhdp253.dk:2181,dkhdp252.dk:2181,dkhdp251.dk:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
  5. Add a hive.proxy.user.property property and set its value to hive.server2.proxy.user.

  6. Click Save, then click restart to restart the interpreter.

For information about authenticating Zeppelin users through Active Directory or LDAP, see Configuring Zeppelin Security.