Support Questions

benhadoop · ‎11-10-2016

Hi community,

I am running a kerberized HDP 2.5 cluster with Ranger policies activated for everything. I have synced Ranger with LDAP and Linux with AD to have consistent group memberships.

With SPNEGO, the access to the ResourceManager ist also a matter of authorization. Only users with administer_queue rights on a queue can view details of applications in that queue.

My problem is: When creating Ranger policies for YARN queues, rights based on groups are not respected in the RM WebUI. Only user-based rights are accepted. The group membership is, however, shown correctly in Ranger.

Do you have any idea, how to ensure that YARN uses the correct groups for granting rights?

Thanks!

benhadoop · ‎11-10-2016

It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.

Adding /L to the Auth_to_local mapping solved the problem.

View solution in original post

benhadoop · ‎11-10-2016

It was a problem with case conversion. Hadoop seems to require all lowercase principals, whereas the used principals were all uppercase.

Adding /L to the Auth_to_local mapping solved the problem.

Cloudera Community

Support Questions

Ranger for YARN RM: Not using group membership