mirror of
https://github.com/apache/zeppelin
synced 2026-05-24 09:38:26 +00:00
b7307d49de
### What is this PR for? This PR is for the multi-tenant of JDBC Interpreter. User can create a user/password for JDBC account at the [Credential page](http://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/datasource_authorization.html). The `Entity` of `Credential` is match with JDBC interpreter group name. If the account for JDBC is not setted in the `Interpreter property` then use `Credential`'s. ### What type of PR is it? Improvement ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-1567 ### How should this be tested? Please refer to testMultiTenant() of JDBCInterpreterTest/ ### Screenshots (if appropriate) ### Questions: - Does the licenses files need update? no - Is there breaking changes for older versions? no - Does this needs documentation? no Author: astroshim <hsshim@nflabs.com> Closes #1539 from astroshim/jdbc-impersonation and squashes the following commits:46fce31[astroshim] add explanation of InterpreterGroup7a92236[astroshim] fix doc and remove persist value.63f5ea7[astroshim] Merge branch 'master' into jdbc-impersonation267277a[astroshim] rebase649ff6e[astroshim] rebase872fb49[astroshim] fix ScioInterpreterTestCase4387a5b[astroshim] Merge branch 'master' into jdbc-impersonation47c463f[astroshim] update doc and htmld4eb178[astroshim] fix docs59aa9ff[astroshim] Merge branch 'master' into jdbc-impersonationbf61afd[astroshim] fix testcase5c0f5d7[astroshim] rebase79ba25b[astroshim] Merge branch 'master' into jdbc-impersonation1f9c2c0[astroshim] clean redundant codea2f5687[astroshim] fix impersonation9962181[astroshim] fix InterpreterOutput of PySparkInterpreterTest caseb55aceb[astroshim] Merge branch 'master' into jdbc-impersonation24a8226[astroshim] fix doc086dfda[astroshim] fix testcase34fe0a6[astroshim] fix code for more simple.fee7086[astroshim] fix build error.a305eca[astroshim] Merge branch 'master' into jdbc-impersonationdf80741[astroshim] documentation for credential.df1b1dc[astroshim] rebase and entity name convention.63d6a1c[astroshim] change thrift version to 0.9.26573c1c[astroshim] change variable namef311f34[astroshim] fix typo722e333[astroshim] change testcase name9161937[astroshim] clean code3dafdf0[astroshim] add testcase373d5f1[astroshim] pass replName to Interpreter and use credential info for jdbc auth.
64 lines
3.4 KiB
Markdown
64 lines
3.4 KiB
Markdown
---
|
|
layout: page
|
|
title: "Data Source Authorization in Apache Zeppelin"
|
|
description: "Apache Zeppelin supports protected data sources. In case of a MySql database, every users can set up their own credentials to access it."
|
|
group: security
|
|
---
|
|
<!--
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
{% include JB/setup %}
|
|
|
|
# Data Source Authorization in Apache Zeppelin
|
|
|
|
<div id="toc"></div>
|
|
|
|
## Overview
|
|
|
|
Data source authorization involves authenticating to the data source like a Mysql database and letting it determine user permissions.
|
|
Apache Zeppelin allows users to use their own credentials to authenticate with **Data Sources**.
|
|
|
|
For example, let's assume you have an account in the Vertica databases with credentials.
|
|
You might want to use this account to create a JDBC connection instead of a shared account with all users who are defined in `conf/shiro.ini`.
|
|
In this case, you can add your credential information to Apache Zeppelin and use them with below simple steps.
|
|
|
|
## How to save the credential information?
|
|
You can add new credentials in the dropdown menu for your data source which can be passed to interpreters.
|
|
|
|
<img class="img-responsive" src="../assets/themes/zeppelin/img/docs-img/credential_tab.png" width="180px"/>
|
|
|
|
**Entity** can be the key that distinguishes each credential sets.(We suggest that the convention of the **Entity** is `[Interpreter Group].[Interpreter Name]`.)
|
|
Please see [what is interpreter group](../manual/interpreters.html#what-is-interpreter-group) for the detailed information.
|
|
|
|
Type **Username & Password** for your own credentials. ex) Mysql user & password of the JDBC Interpreter.
|
|
|
|
<img class="img-responsive" src="../assets/themes/zeppelin/img/docs-img/add_credential.png" />
|
|
|
|
The credentials saved as per users defined in `conf/shiro.ini`.
|
|
If you didn't activate [shiro authentication in Apache Zeppelin](./shiroauthentication.html), your credential information will be saved as `anonymous`.
|
|
All credential information also can be found in `conf/credentials.json`.
|
|
|
|
#### JDBC interpreter
|
|
You need to maintain per-user connection pools.
|
|
The interpret method takes the user string as a parameter and executes the jdbc call using a connection in the user's connection pool.
|
|
|
|
#### Presto
|
|
You don't need a password if the Presto DB server runs backend code using HDFS authorization for the user.
|
|
|
|
#### Vertica and Mysql
|
|
You have to store the password information for users.
|
|
|
|
## Please note
|
|
As a first step of data source authentication feature, [ZEPPELIN-828](https://issues.apache.org/jira/browse/ZEPPELIN-828) was proposed and implemented in Pull Request [#860](https://github.com/apache/zeppelin/pull/860).
|
|
Currently, only customized 3rd party interpreters can use this feature. We are planning to apply this mechanism to [the community managed interpreters](../manual/interpreterinstallation.html#available-community-managed-interpreters) in the near future.
|
|
Please keep track [ZEPPELIN-1070](https://issues.apache.org/jira/browse/ZEPPELIN-1070).
|