New Contributor
Posts: 2
Registered: ‎12-20-2017

How to restrict queue submission with Sentry activated on CDH 5.13 ?

Hi Cloudera Team,


I'm facing a problem of queue submission restriction with Sentry. I already check this solved post : (on which I also post the same description as below).


Here is my need : I have a different kind of users on my clusters and I would like set submission rights on queue for user and groups in order to restrict the acess when they are using Hive (because I use Sentry for Hive).

I'm using CDH 5.13 with Kerberos and Sentry. As I am using Sentry, impersonation is disabled.

I don't understand how to configure Dynamic Ressource Pool Configuration to work using orginal user groups (me not hive).


My configuration is 




On root, submission ACL are set to allow only "sentry" user to submit in this pool

On A, submission ACL are set to allow only group A to submit in this pool

On B, submission ACL are set to allow only group B to submit in this pool

Placement rules are :

1 - "Use the pool Specified at run time, only if the pool exists."

2 - "Use the pool root.[username] and create the pool if it does not exist. "


When I submit a query with a user from the group A, using Hue and setting "set;" I got the error : "User hive cannot submit applications to queue root.A"


If I add hive to allowed user on root, the query is working fine but both A and B user's can submit query

If I add hive to only "A" resource pool, then user from A and B group can submit query to ressource pool A, but none can submit to resource pool B


Maybe I am missing an important part, if I add hive in authorized user it will break the ACL's as every user could use all the resource pool.


Can give me the good configuration to set ?