These are my findings:
I think I have found why the credentials are lost, I I think I might be
able to create a patched version that will work for us.Execution flow:
1. Spark job uses method run from ZeppelinContext.
2. The method run gets all the InterpreterContextRunner for a given
notebook and paragraph; in our case is the ParagraphRunner. The
InterpreterContextRunner receives the notebookId and the paragraphId
as parameters.
3. The ParagraphRunner runs the paragraph by sending an event using the
RemoteInterpreterEventClient.
4. The RemoteInterpreterEventClient pushes a
RUN_INTERPRETER_CONTEXT_RUNNER event, with the ParagraphRunner as a
payload (serialised to JSON using gson)
5. The RemoteInterpreterEventPoller receives the event, deserialise the
InterpreterContextRunner and calls the onRemoteRunParagraph of a
RemoteInterpreterProcessListener (in our case, this is the
NotebookServer); this method only receives the notebookId and the
paragraphId.
6. The NotebookServer implementation of onRemoteRunParagraph uses
SecurityUtils to retrieve the user credentials.So, the credentials are lost
because the InterpreterContextRunner, the
info that it serialised to execute a paragraph, doesn’t contain the
credentials.
If we modify the InterpreterContextRunner to include the
AuthenticationInfo and modify the onRemoteRunParagraph to accept an
optional AuthenticationInfo... it might do the trick. But... is this the
right way to solve this problem?
If that's the case I'm happy to contribute with a PR to address
this issue.
--
Luis Angel Vicente Sanchez
zeppelin-us...@bigcente.ch
On Mon, 25 Sep 2017, at 19:46, Deenar Toraskar wrote:
> Hi Jeff
>
> We are at a dead end with this
> https://issues.apache.org/jira/browse/ZEPPELIN-2929. Any pointers
> would be appreciated. We are deploying Zeppelin to clients and without
> this they lose a lot of interactivity.>
> Regards
> Deenar
>
> On 13 September 2017 at 08:38, Jianfeng (Jeff) Zhang
> <jzh...@hortonworks.com> wrote:>>
>> Could you create a ticket for it first ? I suspect it is due to we
>> didn’t pass user name in InterpreterContextRunner, but needs more
>> investigation.>>
>>
>>
>>
>> Best Regard,
>> Jeff Zhang
>>
>>
>>
>> *From: *Deenar Toraskar <deenar.toras...@gmail.com> *Reply-To:
>> *"users@zeppelin.apache.org" <users@zeppelin.apache.org> *Date:
>> *Wednesday, September 13, 2017 at 3:04 PM *To:
>> *"users@zeppelin.apache.org" <users@zeppelin.apache.org> *Subject:
>> *Re: ZeppelinContext run method runs a paragraph as anonymous user>>
>> Hi
>>
>> I work with Luis. We have tried both options of triggering cells in
>> the same notebook using z.run(paraIndex) as well as the paragraph id
>> z.run("20170620-085926_474506193") .>>
>> We are happy to patch Zeppelin. Would be grateful if you can point us
>> to the right direction on how to propogate the credentials.>>
>> Regards
>> Deenar
>>
>> On 12 September 2017 at 20:30, Luis Angel Vicente Sanchez <zeppelin-
>> us...@bigcente.ch> wrote:>>> __
>>> I also tried with z.run(paragraphSeqNumber)
>>>
>>>
>>> --
>>> Luis Angel Vicente Sanchez
>>> zeppelin-us...@bigcente.ch
>>>
>>>
>>>
>>>
>>> On Tue, 12 Sep 2017, at 09:22, Luis Angel Vicente Sanchez wrote:
>>>> That's quite simple actually. Zeppelin exposes the ZeppelinContext
>>>> as the variable z... you just need to do this:>>>>
>>>> z.run(paragraphId)
>>>>
>>>> --
>>>> Luis Angel Vicente Sanchez
>>>> zeppelin-us...@bigcente.ch
>>>>
>>>>
>>>>
>>>> On Tue, 12 Sep 2017, at 03:33, Park Hoon wrote:
>>>>> Hi, could you share the paragraph to show how did you run a
>>>>> paragraph in a different paragraph?>>>>>
>>>>> > if we want to run a paragraph from another paragraph in the same
>>>>> > notebook (to refresh it),>>>>>
>>>>> Regard,
>>>>>
>>>>> On Mon, Sep 11, 2017 at 11:24 PM, Luis Angel Vicente Sanchez <zeppelin-
>>>>> us...@bigcente.ch> wrote:>>>>>> Some extra info:
>>>>>>
>>>>>> println(s"AUTHENTICATION INFO ::
>>>>>> ${z.getInterpreterContext.getAuthenticationInfo.getUser}
>>>>>> ${z.getInterpreterContext.getAuthenticationInfo.getTicket}")
>>>>>>
>>>>>> That line inside a Spark notebook prints both the user name and
>>>>>> the>>>>>> ticket that the user gets after a successful login... so the
>>>>>> interpreter>>>>>> knows who the user is. Can that info be used to run a
>>>>>> paragraph?>>>>>>
>>>>>>
>>>>>> --
>>>>>> Luis Angel Vicente Sanchez zeppelin-us...@bigcente.ch>>>>>> On Mon,
>>>>>> 11 Sep 2017, at 12:16, Luis Angel Vicente Sanchez wrote:>>>>>> > And we
>>>>>> are running the notebook using spark local, and using a
>>>>>> > whirl>>>>>> > JdbcRealm to authenticate users is there anything we can
>>>>>> > do to
>>>>>> > make the>>>>>> > spark interpreter impersonate the front-end user?
>>>>>> >
>>>>>> > --
>>>>>> > Luis Angel Vicente Sanchez
>>>>>> > zeppelin-us...@bigcente.ch
>>>>>> >
>>>>>> > On Mon, 11 Sep 2017, at 11:14, Luis Angel Vicente Sanchez
>>>>>> > wrote:>>>>>> > > We are using Zeppelin 0.7.1/
>>>>>> > >
>>>>>> > >
>>>>>> > > --
>>>>>> > > Luis Angel Vicente Sanchez
>>>>>> > > zeppelin-us...@bigcente.ch
>>>>>> > >
>>>>>> > > On Mon, 11 Sep 2017, at 11:12, Luis Angel Vicente Sanchez
>>>>>> > > wrote:>>>>>> > > > Hi,
>>>>>> > > >
>>>>>> > > > We have enabled notebook permissions in our Zeppelin
>>>>>> > > > installation and>>>>>> > > > now we are facing the problem that if
>>>>>> > > > we want to run a
>>>>>> > > > paragraph from>>>>>> > > > another paragraph in the same notebook
>>>>>> > > > (to refresh it), the
>>>>>> > > > user that is>>>>>> > > > running that paragraph is the anonymous
>>>>>> > > > user and not the
>>>>>> > > > front-end user>>>>>> > > > and, therefore, we get a
>>>>>> > > > "ForbiddenException" because of
>>>>>> > > > that.>>>>>> > > >
>>>>>> > > > Is there a way to run a paragraph as the front-end user?
>>>>>> > > >
>>>>>> > > >
>>>>>> > > > Kind regards,
>>>>>> > > >
>>>>>> > > > Luis Angel Vicente Sanchez
>>>>>> > > > zeppelin-us...@bigcente.ch
>>>
>>
>>
