https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-for-YARN-RM-Not-using-group-membership/m-p/171563#M45805 <P>It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.</P><P>Adding /L to the Auth_to_local mapping solved the problem.</P> Thu, 10 Nov 2016 17:21:05 GMT benhadoop 2016-11-10T17:21:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-for-YARN-RM-Not-using-group-membership/m-p/171562#M45804 <P>Hi community,</P><P>I am running a kerberized HDP 2.5 cluster with Ranger policies activated for everything. I have synced Ranger with LDAP and Linux with AD to have consistent group memberships.</P><P>With SPNEGO, the access to the ResourceManager ist also a matter of authorization. Only users with administer_queue rights on a queue can view details of applications in that queue.</P><P>My problem is: When creating Ranger policies for YARN queues, rights based on groups are not respected in the RM WebUI. Only user-based rights are accepted. The group membership is, however, shown correctly in Ranger.</P><P>Do you have any idea, how to ensure that YARN uses the correct groups for granting rights?</P><P>Thanks!</P> Thu, 10 Nov 2016 16:09:09 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-for-YARN-RM-Not-using-group-membership/m-p/171562#M45804 benhadoop 2016-11-10T16:09:09Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-for-YARN-RM-Not-using-group-membership/m-p/171563#M45805 <P>It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.</P><P>Adding /L to the Auth_to_local mapping solved the problem.</P> Thu, 10 Nov 2016 17:21:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-for-YARN-RM-Not-using-group-membership/m-p/171563#M45805 benhadoop 2016-11-10T17:21:05Z