Reply
Highlighted
New Contributor
Posts: 2
Registered: ‎12-20-2017

How to restrict queue submission with Sentry activated on CDH 5.13 ?

Hi Cloudera Team,

 

I'm facing a problem of queue submission restriction with Sentry. I already check this solved post : https://community.cloudera.com/t5/Cloudera-Manager-Installation/sentry-hive-kerberos-resource-manage... (on which I also post the same description as below).

 

Here is my need : I have a different kind of users on my clusters and I would like set submission rights on queue for user and groups in order to restrict the acess when they are using Hive (because I use Sentry for Hive).

I'm using CDH 5.13 with Kerberos and Sentry. As I am using Sentry, impersonation is disabled.

I don't understand how to configure Dynamic Ressource Pool Configuration to work using orginal user groups (me not hive).

 

My configuration is 

root

|--A

|--B

On root, submission ACL are set to allow only "sentry" user to submit in this pool

On A, submission ACL are set to allow only group A to submit in this pool

On B, submission ACL are set to allow only group B to submit in this pool

Placement rules are :

1 - "Use the pool Specified at run time, only if the pool exists."

2 - "Use the pool root.[username] and create the pool if it does not exist. "

 

When I submit a query with a user from the group A, using Hue and setting "set mapred.job.queue.name=A;" I got the error : "User hive cannot submit applications to queue root.A"

 

If I add hive to allowed user on root, the query is working fine but both A and B user's can submit query

If I add hive to only "A" resource pool, then user from A and B group can submit query to ressource pool A, but none can submit to resource pool B

 

Maybe I am missing an important part, if I add hive in authorized user it will break the ACL's as every user could use all the resource pool.

 

Can give me the good configuration to set ?