Support Questions

Find answers, ask questions, and share your expertise

Ranger for YARN RM: Not using group membership

avatar
Expert Contributor

Hi community,

I am running a kerberized HDP 2.5 cluster with Ranger policies activated for everything. I have synced Ranger with LDAP and Linux with AD to have consistent group memberships.

With SPNEGO, the access to the ResourceManager ist also a matter of authorization. Only users with administer_queue rights on a queue can view details of applications in that queue.

My problem is: When creating Ranger policies for YARN queues, rights based on groups are not respected in the RM WebUI. Only user-based rights are accepted. The group membership is, however, shown correctly in Ranger.

Do you have any idea, how to ensure that YARN uses the correct groups for granting rights?

Thanks!

1 ACCEPTED SOLUTION

avatar
Expert Contributor

It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.

Adding /L to the Auth_to_local mapping solved the problem.

View solution in original post

1 REPLY 1

avatar
Expert Contributor

It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.

Adding /L to the Auth_to_local mapping solved the problem.