Support Questions
Find answers, ask questions, and share your expertise

How to restrict yarn queue access when Hive Impersonation is turned off


Hi Team,

Is there a way to restrict yarn queue access when hive.server2.enable.doAs is set to false. Ranger YARN plugin has been enabled. When submitting the query using individual user it is getting submitted as hive user which is expected. I have added hive user in deny condition for a specific queue but hive user is still able to submit job on the queue. I want only few users to submit job in that queue.





@AdityaShaw  Yes with the help of Yarn ACL's you can control the users submitting applications to specific yarn queue.


Kindly follow these documents to enable yarn acl.


@Prakashcit Thank you for the update. We are managing permissions through Ranger.





If you are using Kerberos for authentication, when a job is submitted, the user permissions are evaluated first by Ranger and once the authorization is successful, only then the Kerberos ticket is delegated to hive user and the hive user starts the execution. So, as long as the user who is submitting the job has a policy in Ranger, it should work as expected.

Hope this helps. If the comment helps you to find a solution or move forward, please accept it as a solution for other community members.

; ;