Is there anyway where we can restrict users not to override few properties of spark or any other components at runtime ?Thanks in advance.
I do not think there is an option to restrict users to allow editing only few specific properties not others.
But if you are managing your cluster using ambari then you can have a "read Only" user get created so that that particular user will not be able to make any config changes:
As per  Cluster User: Users assigned to the Cluster User role are able to view information about the cluster and its services, including configurations, service status and health alerts. Effectively, this is a “read-only” user. https://docs.hortonworks.com/HDPDocuments/Ambari-188.8.131.52/bk_ambari-administration/content/cluster_ro...
@Jay SenSharma Thanks for your quick response.
Can you please help me to clear following points:
for example if user is submitting spark job and he is giving value for spark.driver.maxResultSize=20G then can a user part of cluster user will not be able to change it.
spark-submit --verbose --master yarn --conf spark.yarn.executor.memoryOverhead=600 --num-executors 50 --conf spark.executor.memory=30G --conf spark.yarn.queue=batch --conf spark.driver.memory=30G --conf spark.kryoserializer.buffer.max=512M --conf spark.driver.cores=6 --conf spark.executor.cores=6 --conf spark.executor.instances=6 --conf spark.driver.maxResultSize=20G --conf spark.shuffle.memory.fraction=0.6 --conf spark.storage.memory.fraction=0.4 --conf spark.sql.shuffle.partitions=500 --conf "spark.executor.extraJavaOptions= ......
1. Component / Service Administrators typically define parameters as final in configuration files like core-site.xml for values that user/client applications may not alter.
The hadoop cluster "*.xml" config files can be marked as "final", indicating that they should not be overwritten by a client's configuration. It does not talk about user roles. Like which client can override it and which client can not. Once a property is declared as final then it can not be overwritten.
2. Ambari cluster roles are different. That only takes care of how *ambari* users will interact with the ambari using UI/Ambari Rest API. It can not be compared with the "final" feature of individual components.
I mean to say that we "can" prevent users from overriding properties at runtime using "final". (that is correct).
I mean to say that we "can" prevent users from overriding some properties at runtime using "final". (that is correct). As "final", indicates that they should not be overwritten by a client's configuration.
But i do not see an option using which a service component "userA" can make a runtime property change but not "userB". Becaue when Service Administrator mark the property as "final" then it is applied to all the users.
For other components ... Ranger can allow authorization, to have more control over what a user is authorized to do.