Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to restrict yarn queue access when Hive Impersonation is turned off

How to restrict yarn queue access when Hive Impersonation is turned off

Explorer

Hi Team,

Is there a way to restrict yarn queue access when hive.server2.enable.doAs is set to false. Ranger YARN plugin has been enabled. When submitting the query using individual user it is getting submitted as hive user which is expected. I have added hive user in deny condition for a specific queue but hive user is still able to submit job on the queue. I want only few users to submit job in that queue.

AdityaShaw_0-1597484508068.png

 

3 REPLIES 3
Highlighted

Re: How to restrict yarn queue access when Hive Impersonation is turned off

Contributor

@AdityaShaw  Yes with the help of Yarn ACL's you can control the users submitting applications to specific yarn queue.

 

Kindly follow these documents to enable yarn acl.

 

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_yarn-resource-management/content/controllin...

 

https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html

Highlighted

Re: How to restrict yarn queue access when Hive Impersonation is turned off

Explorer

@Prakashcit Thank you for the update. We are managing permissions through Ranger.

AdityaShaw_0-1597918597465.png

 

 

Highlighted

Re: How to restrict yarn queue access when Hive Impersonation is turned off

Contributor

If you are using Kerberos for authentication, when a job is submitted, the user permissions are evaluated first by Ranger and once the authorization is successful, only then the Kerberos ticket is delegated to hive user and the hive user starts the execution. So, as long as the user who is submitting the job has a policy in Ranger, it should work as expected.

Hope this helps. If the comment helps you to find a solution or move forward, please accept it as a solution for other community members.

Don't have an account?
Coming from Hortonworks? Activate your account here