02-26-2018 12:38 AM
Hi Cloudera Team,
I'm facing a problem of queue submission restriction with Sentry. I already check this solved post : https://community.cloudera.com/t5/Cloudera-Manager-Installation/sentry-hive-kerberos-resource-manage... (on which I also post the same description as below).
Here is my need : I have a different kind of users on my clusters and I would like set submission rights on queue for user and groups in order to restrict the acess when they are using Hive (because I use Sentry for Hive).
I'm using CDH 5.13 with Kerberos and Sentry. As I am using Sentry, impersonation is disabled.
I don't understand how to configure Dynamic Ressource Pool Configuration to work using orginal user groups (me not hive).
My configuration is
On root, submission ACL are set to allow only "sentry" user to submit in this pool
On A, submission ACL are set to allow only group A to submit in this pool
On B, submission ACL are set to allow only group B to submit in this pool
Placement rules are :
1 - "Use the pool Specified at run time, only if the pool exists."
2 - "Use the pool root.[username] and create the pool if it does not exist. "
When I submit a query with a user from the group A, using Hue and setting "set mapred.job.queue.name=A;" I got the error : "User hive cannot submit applications to queue root.A"
If I add hive to allowed user on root, the query is working fine but both A and B user's can submit query
If I add hive to only "A" resource pool, then user from A and B group can submit query to ressource pool A, but none can submit to resource pool B
Maybe I am missing an important part, if I add hive in authorized user it will break the ACL's as every user could use all the resource pool.
Can give me the good configuration to set ?