I am running a kerberized HDP 2.5 cluster with Ranger policies activated for everything. I have synced Ranger with LDAP and Linux with AD to have consistent group memberships.
With SPNEGO, the access to the ResourceManager ist also a matter of authorization. Only users with administer_queue rights on a queue can view details of applications in that queue.
My problem is: When creating Ranger policies for YARN queues, rights based on groups are not respected in the RM WebUI. Only user-based rights are accepted. The group membership is, however, shown correctly in Ranger.
Do you have any idea, how to ensure that YARN uses the correct groups for granting rights?