Yes I use a container.. similar to the one in this recent pull request. https://github.com/apache/zeppelin/pull/3484/commits/9f0fbaaf4bf77cf832f42ee282004b7d82cf61e4
We were running as zeppelin instead of root but I want the shell commands to run as a different user so they can't read the configuration code. so I created a zeppelin_user and hardcoded export ZEPPELIN_IMPERSONATE_USER='zeppelin_user' But this isn't really a documented or supported way to go about this. We typically use shell, markdown and spark interpreters. On Fri, Oct 11, 2019 at 10:11 PM Jeff Zhang <zjf...@gmail.com> wrote: > <https://github.com/apache/zeppelin/pull/3333>Are you running zeppelin in > docker container ?Are you care about all the interpreters or just spark > interpreter ? > > > Tony Primerano <primer...@tonycode.com> 于2019年10月11日周五 下午10:36写道: > >> I have a use case where I am running the Zeppelin server as a user named >> zeppelin. All user interpreter processes run as this user but this gives >> them too much power. They can view configuration files and logs. >> >> I don't want to impersonate the users because they don't have accounts in >> the container I am running Zeppelin in. >> >> So the hack I came up with was to set ZEPPELIN_IMERSONATE_USER manually. >> >> export ZEPPELIN_IMPERSONATE_USER='zeppelin_user' >> >> export ZEPPELIN_IMPERSONATE_CMD='sudo -H -u ${ZEPPELIN_IMPERSONATE_USER} >> /bin/bash -c ' >> >> export ZEPPELIN_IMPERSONATE_SPARK_PROXY_USER=true >> >> This seems to work but it isn't really a standard configuration and I >> fear it may break in the future. >> >> Is there a better way to do this? >> >> The zeppelin_user account has limited access so it can't read the conf >> and other sensitive directories. >> >> Let me know if there is a better way to do this. >> >> Thanks, >> Tony >> >> >> >> > > -- > Best Regards > > Jeff Zhang >
