Is there a way to restrict yarn queue access when hive.server2.enable.doAs is set to false. Ranger YARN plugin has been enabled. When submitting the query using individual user it is getting submitted as hive user which is expected. I have added hive user in deny condition for a specific queue but hive user is still able to submit job on the queue. I want only few users to submit job in that queue.
@AdityaShaw Yes with the help of Yarn ACL's you can control the users submitting applications to specific yarn queue.
Kindly follow these documents to enable yarn acl.
If you are using Kerberos for authentication, when a job is submitted, the user permissions are evaluated first by Ranger and once the authorization is successful, only then the Kerberos ticket is delegated to hive user and the hive user starts the execution. So, as long as the user who is submitting the job has a policy in Ranger, it should work as expected.
Hope this helps. If the comment helps you to find a solution or move forward, please accept it as a solution for other community members.