Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger for YARN RM: Not using group membership

Solved Go to solution

Ranger for YARN RM: Not using group membership

Expert Contributor

Hi community,

I am running a kerberized HDP 2.5 cluster with Ranger policies activated for everything. I have synced Ranger with LDAP and Linux with AD to have consistent group memberships.

With SPNEGO, the access to the ResourceManager ist also a matter of authorization. Only users with administer_queue rights on a queue can view details of applications in that queue.

My problem is: When creating Ranger policies for YARN queues, rights based on groups are not respected in the RM WebUI. Only user-based rights are accepted. The group membership is, however, shown correctly in Ranger.

Do you have any idea, how to ensure that YARN uses the correct groups for granting rights?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ranger for YARN RM: Not using group membership

Expert Contributor

It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.

Adding /L to the Auth_to_local mapping solved the problem.

1 REPLY 1
Highlighted

Re: Ranger for YARN RM: Not using group membership

Expert Contributor

It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.

Adding /L to the Auth_to_local mapping solved the problem.