Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

Solved Go to solution
Highlighted

Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

Contributor

Here is my use case for example.

  • Launch LLAP (LLAP daemons, HiveServer2) on Kerberized Hadoop Cluster.
  • Set "true" to "hive.server2.enable.doAs" for Hiveserver2.
  • Launch HiveServer2 with "hive" account.
  • Launch LLAP (LLAP daemons) with "hive" account.

In this case, other kinited user account (for example "userA") can use LLAP daemons which are launched by "hive" user account somehow?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

View solution in original post

5 REPLIES 5
Highlighted

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

@Tomomichi Hirano LLAP cache data for several queries running on it so doAs is not supported in LLAP, every query run on LLAP run as hive user instead of the user who submitted the query. to get a fine grain control over accessibility you can user Ranger security policies along with hive.server2.enable.doAs=false

View solution in original post

Highlighted

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

Contributor

Thank you for quick and clear answer. I understood we have to enable Ranger for LLAP.

BTW, can we enable Ranger only for LLAP (HiveServer2) for the first step? I'm asking it because it's a little hard to add Ranger (plugins) for already existing hadoop core components such as HDFS (NameNode/DataNodes), Yarn (ResourceManager/NodeManagers).

We plan to build a new server to launch LLAP (Hive2 HiveServer2 & LLAP with Slider & new MetaStore DB), so if we can enable Ranger only for new LLAP for now, it would be really easier for us than enabling Ranger for all existing hadoop components.

Highlighted

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

@Tomomichi Hirano ya you can initially go with enabling ranger at hiveserver2 level for now,hiveserver2 will expect that you have read/write permission for hive user on file/folder on hdfs, Additionally, if you install ranger plugin for HDFS then it will be good for you so that you need not mess with hdfs acls and with ranger you can manage at a single place.

Highlighted

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

Contributor
@Rajkumar Singh thank you so much for your help!
Highlighted

Re: Can we share a set of LLAP daemons with multiple users when doAs is "true" in secured hadoop cluster?

np @Tomomichi Hirano feel free to accept best answer in this discussion thread so that other user can get benefit from it.

Don't have an account?
Coming from Hortonworks? Activate your account here