Without user impersonification (which is impossible with %spark anyway), a user can just write a simple script to see any file in the Zeppelin folder, including shiro.ini or any notes. So, the users and passwords in shiro become pretty meaningless. Can't zeppelin just disallow such peeking?
For example, any user can just execute the following in a note to get what is inside the shiro.ini file.
I know that one can use livy.spark instead for proper user impersonification, but then you can't use ZeppelinContext variable z.