Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to restrict yarn queue access when Hive Impersonation is turned off

avatar
author-rank AdityaShaw
Explorer

Created ‎08-15-2020 02:42 AM

Hi Team,

Is there a way to restrict yarn queue access when hive.server2.enable.doAs is set to false. Ranger YARN plugin has been enabled. When submitting the query using individual user it is getting submitted as hive user which is expected. I have added hive user in deny condition for a specific queue but hive user is still able to submit job on the queue. I want only few users to submit job in that queue.

AdityaShaw_0-1597484508068.png

 

1,634 Views
0 Kudos
3 REPLIES 3

avatar
author-rank Prakashcit author-rank
Expert Contributor

Created ‎08-17-2020 07:41 AM

@AdityaShaw  Yes with the help of Yarn ACL's you can control the users submitting applications to specific yarn queue.

 

Kindly follow these documents to enable yarn acl.

 

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_yarn-resource-management/content/controllin...

 

https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html

1,607 Views
0 Kudos

avatar
author-rank AdityaShaw
Explorer

Created ‎08-20-2020 03:17 AM

@Prakashcit Thank you for the update. We are managing permissions through Ranger.

AdityaShaw_0-1597918597465.png

 

 

1,578 Views
0 Kudos

avatar
author-rank SagarKanani
Contributor

Created ‎08-21-2020 12:56 AM

If you are using Kerberos for authentication, when a job is submitted, the user permissions are evaluated first by Ranger and once the authorization is successful, only then the Kerberos ticket is delegated to hive user and the hive user starts the execution. So, as long as the user who is submitting the job has a policy in Ranger, it should work as expected.

Hope this helps. If the comment helps you to find a solution or move forward, please accept it as a solution for other community members.

1,566 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements