- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to restrict yarn queue access when Hive Impersonation is turned off
Created 08-15-2020 02:42 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
Is there a way to restrict yarn queue access when hive.server2.enable.doAs is set to false. Ranger YARN plugin has been enabled. When submitting the query using individual user it is getting submitted as hive user which is expected. I have added hive user in deny condition for a specific queue but hive user is still able to submit job on the queue. I want only few users to submit job in that queue.
Created 08-17-2020 07:41 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@AdityaShaw Yes with the help of Yarn ACL's you can control the users submitting applications to specific yarn queue.
Kindly follow these documents to enable yarn acl.
https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html
Created 08-20-2020 03:17 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Created 08-21-2020 12:56 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using Kerberos for authentication, when a job is submitted, the user permissions are evaluated first by Ranger and once the authorization is successful, only then the Kerberos ticket is delegated to hive user and the hive user starts the execution. So, as long as the user who is submitting the job has a policy in Ranger, it should work as expected.
Hope this helps. If the comment helps you to find a solution or move forward, please accept it as a solution for other community members.