New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ZEPPELIN-1149] %sh interpreter kerberos support #1163
Conversation
LGTM, tested on ubuntu 14.04 server. |
"auth.type to SIMPLE", properties.getProperty("shell.auth.type").trim())); | ||
authType = SIMPLE; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra newline
If each interpreter has a separate settings for Kerberos, eg. shell.keytab.location, would it be harder to manage? |
5bb5654
to
0a77e80
Compare
@felixcheung over a period of time, each interpreter will start to have their own Keytab's. I think we should have separate keytabs for different interpreters. We will ofcourse have to invest on getting a better management console for interpreters themselves. |
@rconline What is |
@jongyoul here are some reference - http://linux.die.net/man/1/kinit & http://www.tutorialspoint.com/unix_commands/kinit.htm |
@rconline In case of not having |
@jongyoul no there isn't. Here's the snippet from UserGroupInformation, which is essentially from Hadoop security. In future we will implement multiple methods of security. At present for Kerberos security Kinit is a necessary step. I intend to generalize this across other interpreters as well subsequently.
|
# Conflicts: # docs/interpreter/shell.md
|
||
private static Logger LOGGER = LoggerFactory.getLogger(ShellSecurityImpl.class); | ||
|
||
public static void createSecureCinfiguration(Properties properties, String shell) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you mean for this to be createSecureConfiguration
?
@felixcheung as of now the interpreters are reusing zeppelin keytab. Typically this is case in the hadoop security world, where the keytab is generated at a process level, whereas the authorization is done through impersonation. This is then mapped to the user permissions setup on the underlying data system via posix users. Mature systems which implement full support for security + impersonation, can provide this ability. Right now with this change we get to the first stage which is security. To get to impersonation we will have to start the shell with the user's identity. I think that can be followup patch, in the next couple of weeks. |
Merging this if no more discussion. |
Re-trigger CI |
agree with @felixcheung, use the zeppelin service keytab/principal might bring some other potential security problems. I think user A would expect to run shell script as himself, but actually it run as user zeppelin. And seems all the users are sharing the same principal if I understand correctly. Anyway, I don't have a better idea now, but seems zeppelin in secured cluster needs a lot work to do. Besides that I have one question about shiro of zeppelin, does shiro will map the username to hadoop side ? Say I login zeppelin as user A, would that guaranteed there should also be a user A in the hadoop ecosystem? |
Sorry, I mistake it as hdfs interpreter. For shell interpreter, do we must have kerberos support ? I think here kinit is just for the hadoop command, so actually it is for running hdfs command in secured cluster rather than running general shell command in secured cluster. |
This will also, allow CLI/shell interaction to other data systems such hbase, falcon, hive, kafka, oozie, sqoop, etc. on secured clusters. Hence this is a need, particularly during data ingestion via a notebook. |
@prabhjyotsingh Thanks for clarification. |
CI fail is unrelated, which fails for Build #6048.2 with Will merge this if no more discussion. |
I think getting impersonation is an important next step that could come after. |
### What is this PR for? Zeppelin Shell interpreter should work in a Kerberos environment ### What type of PR is it? [Feature] ### What is the Jira issue? * [ZEPPELIN-1149](https://issues.apache.org/jira/browse/ZEPPELIN-1149) ### How should this be tested? In JDBC interpreter setting add following properties - shell.auth.type = KERBEROS - shell.principal = principal value - shell.keytab.location = keytab location Now try and run any shell command (example: hdfs dfs -ls) it should return with valid results. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? yes Author: Rohit Choudhary <rconline@gmail.com> Closes apache#1163 from rconline/ZEPPELIN-1149 and squashes the following commits: f6af0f6 [Rohit Choudhary] typo fix 3648a1c [Rohit Choudhary] fix CI, resolve merge conflict 1924b99 [Rohit Choudhary] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1149 9143b47 [Rohit Choudhary] Removed Hadoop common dependency and changed switch to String based Kerberos/Simple. 60e6d21 [Rohit Choudhary] Addressing feedback from felixcheung b0300e8 [Rohit Choudhary] changing property name to "zeppelin.*" to make it match with rest of the project. 0a77e80 [Rohit Choudhary] shell interpreter doc 5190791 [Rohit Choudhary] [ZEPPELIN-1149] %sh interpreter kerberos support
### What is this PR for? Zeppelin Shell interpreter should work in a Kerberos environment ### What type of PR is it? [Feature] ### What is the Jira issue? * [ZEPPELIN-1149](https://issues.apache.org/jira/browse/ZEPPELIN-1149) ### How should this be tested? In JDBC interpreter setting add following properties - shell.auth.type = KERBEROS - shell.principal = principal value - shell.keytab.location = keytab location Now try and run any shell command (example: hdfs dfs -ls) it should return with valid results. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? yes Author: Rohit Choudhary <rconline@gmail.com> Closes apache#1163 from rconline/ZEPPELIN-1149 and squashes the following commits: f6af0f6 [Rohit Choudhary] typo fix 3648a1c [Rohit Choudhary] fix CI, resolve merge conflict 1924b99 [Rohit Choudhary] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1149 9143b47 [Rohit Choudhary] Removed Hadoop common dependency and changed switch to String based Kerberos/Simple. 60e6d21 [Rohit Choudhary] Addressing feedback from felixcheung b0300e8 [Rohit Choudhary] changing property name to "zeppelin.*" to make it match with rest of the project. 0a77e80 [Rohit Choudhary] shell interpreter doc 5190791 [Rohit Choudhary] [ZEPPELIN-1149] %sh interpreter kerberos support
What is this PR for?
Zeppelin Shell interpreter should work in a Kerberos environment
What type of PR is it?
[Feature]
What is the Jira issue?
How should this be tested?
In JDBC interpreter setting add following properties
Now try and run any shell command (example: hdfs dfs -ls) it should return with valid results.
Screenshots (if appropriate)
Questions: