Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

Solved Go to solution

Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

New Contributor

Here is my use case for example.

  • Launch LLAP (LLAP daemons, HiveServer2) on Kerberized Hadoop Cluster.
  • Set "true" to "hive.server2.enable.doAs" for Hiveserver2.
  • Launch HiveServer2 with "hive" account.
  • Launch LLAP (LLAP daemons) with "hive" account.

In this case, other kinited user account (for example "userA") can use LLAP daemons which are launched by "hive" user account somehow?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

5 REPLIES 5

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

New Contributor

Thank you for quick and clear answer. I understood we have to enable Ranger for LLAP.

BTW, can we enable Ranger only for LLAP (HiveServer2) for the first step? I'm asking it because it's a little hard to add Ranger (plugins) for already existing hadoop core components such as HDFS (NameNode/DataNodes), Yarn (ResourceManager/NodeManagers).

We plan to build a new server to launch LLAP (Hive2 HiveServer2 & LLAP with Slider & new MetaStore DB), so if we can enable Ranger only for new LLAP for now, it would be really easier for us than enabling Ranger for all existing hadoop components.

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

@Tomomichi Hirano ya you can initially go with enabling ranger at hiveserver2 level for now,hiveserver2 will expect that you have read/write permission for hive user on file/folder on hdfs, Additionally, if you install ranger plugin for HDFS then it will be good for you so that you need not mess with hdfs acls and with ranger you can manage at a single place.

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

New Contributor
@Rajkumar Singh thank you so much for your help!

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

np @Tomomichi Hirano feel free to accept best answer in this discussion thread so that other user can get benefit from it.

Don't have an account?
Coming from Hortonworks? Activate your account here