Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

Labels:
avatar
author-rank tomo_hirano
Contributor

Created on ‎07-10-2017 01:52 AM - edited ‎09-16-2022 04:54 AM

Here is my use case for example.

  • Launch LLAP (LLAP daemons, HiveServer2) on Kerberized Hadoop Cluster.
  • Set "true" to "hive.server2.enable.doAs" for Hiveserver2.
  • Launch HiveServer2 with "hive" account.
  • Launch LLAP (LLAP daemons) with "hive" account.

In this case, other kinited user account (for example "userA") can use LLAP daemons which are launched by "hive" user account somehow?

3,155 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rajkumar_singh author-rank
Super Guru

Created ‎07-10-2017 05:27 AM

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

View solution in original post

2,891 Views
0 Kudos
5 REPLIES 5

avatar
author-rank rajkumar_singh author-rank
Super Guru

Created ‎07-10-2017 05:27 AM

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

2,892 Views
0 Kudos

avatar
author-rank tomo_hirano
Contributor

Created ‎07-10-2017 09:38 AM

Thank you for quick and clear answer. I understood we have to enable Ranger for LLAP.

BTW, can we enable Ranger only for LLAP (HiveServer2) for the first step? I'm asking it because it's a little hard to add Ranger (plugins) for already existing hadoop core components such as HDFS (NameNode/DataNodes), Yarn (ResourceManager/NodeManagers).

We plan to build a new server to launch LLAP (Hive2 HiveServer2 & LLAP with Slider & new MetaStore DB), so if we can enable Ranger only for new LLAP for now, it would be really easier for us than enabling Ranger for all existing hadoop components.

2,891 Views
0 Kudos

avatar
author-rank rajkumar_singh author-rank
Super Guru

Created ‎07-10-2017 10:03 AM

@Tomomichi Hirano ya you can initially go with enabling ranger at hiveserver2 level for now,hiveserver2 will expect that you have read/write permission for hive user on file/folder on hdfs, Additionally, if you install ranger plugin for HDFS then it will be good for you so that you need not mess with hdfs acls and with ranger you can manage at a single place.

2,891 Views
0 Kudos

avatar
author-rank tomo_hirano
Contributor

Created ‎07-11-2017 01:46 AM

@Rajkumar Singh thank you so much for your help!
2,891 Views
0 Kudos

avatar
author-rank rajkumar_singh author-rank
Super Guru

Created ‎07-11-2017 02:22 AM

np @Tomomichi Hirano feel free to accept best answer in this discussion thread so that other user can get benefit from it.

2,891 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements