Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to restrict queue submission with Sentry activated on CDH 5.13 ?

Highlighted

How to restrict queue submission with Sentry activated on CDH 5.13 ?

New Contributor

Hi Cloudera Team,

 

I'm facing a problem of queue submission restriction with Sentry. I already check this solved post : https://community.cloudera.com/t5/Cloudera-Manager-Installation/sentry-hive-kerberos-resource-manage... (on which I also post the same description as below).

 

Here is my need : I have a different kind of users on my clusters and I would like set submission rights on queue for user and groups in order to restrict the acess when they are using Hive (because I use Sentry for Hive).

I'm using CDH 5.13 with Kerberos and Sentry. As I am using Sentry, impersonation is disabled.

I don't understand how to configure Dynamic Ressource Pool Configuration to work using orginal user groups (me not hive).

 

My configuration is 

root

|--A

|--B

On root, submission ACL are set to allow only "sentry" user to submit in this pool

On A, submission ACL are set to allow only group A to submit in this pool

On B, submission ACL are set to allow only group B to submit in this pool

Placement rules are :

1 - "Use the pool Specified at run time, only if the pool exists."

2 - "Use the pool root.[username] and create the pool if it does not exist. "

 

When I submit a query with a user from the group A, using Hue and setting "set mapred.job.queue.name=A;" I got the error : "User hive cannot submit applications to queue root.A"

 

If I add hive to allowed user on root, the query is working fine but both A and B user's can submit query

If I add hive to only "A" resource pool, then user from A and B group can submit query to ressource pool A, but none can submit to resource pool B

 

Maybe I am missing an important part, if I add hive in authorized user it will break the ACL's as every user could use all the resource pool.

 

Can give me the good configuration to set ?