Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

avatar
Contributor

Here is my use case for example.

  • Launch LLAP (LLAP daemons, HiveServer2) on Kerberized Hadoop Cluster.
  • Set "true" to "hive.server2.enable.doAs" for Hiveserver2.
  • Launch HiveServer2 with "hive" account.
  • Launch LLAP (LLAP daemons) with "hive" account.

In this case, other kinited user account (for example "userA") can use LLAP daemons which are launched by "hive" user account somehow?

1 ACCEPTED SOLUTION

avatar
Super Guru

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

View solution in original post

5 REPLIES 5

avatar
Super Guru

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

avatar
Contributor

Thank you for quick and clear answer. I understood we have to enable Ranger for LLAP.

BTW, can we enable Ranger only for LLAP (HiveServer2) for the first step? I'm asking it because it's a little hard to add Ranger (plugins) for already existing hadoop core components such as HDFS (NameNode/DataNodes), Yarn (ResourceManager/NodeManagers).

We plan to build a new server to launch LLAP (Hive2 HiveServer2 & LLAP with Slider & new MetaStore DB), so if we can enable Ranger only for new LLAP for now, it would be really easier for us than enabling Ranger for all existing hadoop components.

avatar
Super Guru

@Tomomichi Hirano ya you can initially go with enabling ranger at hiveserver2 level for now,hiveserver2 will expect that you have read/write permission for hive user on file/folder on hdfs, Additionally, if you install ranger plugin for HDFS then it will be good for you so that you need not mess with hdfs acls and with ranger you can manage at a single place.

avatar
Contributor
@Rajkumar Singh thank you so much for your help!

avatar
Super Guru

np @Tomomichi Hirano feel free to accept best answer in this discussion thread so that other user can get benefit from it.