Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Want to enable Ranger Security for Yarn Policy

Highlighted

Want to enable Ranger Security for Yarn Policy

Contributor

HDP 2.6.1
I have enabled Ranger Security for yarn policy using below steps:

Configure YARN to use only Ranger ACLs (i.e ignore YARN ACLs)
Ambari > YARN > Custom ranger-yarn-security > add below property and restart YARN
ranger.add-yarn-authorization = false
I have tested to scenarios:
Scenario I:
yarn.acl.enable = true
ranger.add-yarn-authorization = false 
-->Only Ranger ACL are applied

Scenario II:

yarn.acl.enable = false
ranger.add-yarn-authorization=false 
-->Both YARN Acl & Ranger ACL are invalid

when we set yarn.acl.enable = false, yarn acl and ranger acl are invalid(lose efficiency).I don't know why.

2 REPLIES 2

Re: Want to enable Ranger Security for Yarn Policy

Super Collaborator

Hi Pravin,

I my case this setting on Ambari > Yarn > Config > Scheduler was vital:

yarn.scheduler.capacity.root.acl_submit_applications=       (<--- there is a space there as value !! )

Explanation can be read here:

https://community.hortonworks.com/content/supportkb/49101/capacity-scheduler-users-can-submit-to-any...

Basically since this baseline authorization is not disabled by default, anyone can just submit any job in Yarn by default. Also since all child queue inherit this auth from the root parent submitting app is very tolerant if you don't restrict it.

After I had done this, I finally started to see my Yarn Ranger policies kicking in and also many DENIED results on SUBMIT_APP on Ranger audit based on Access Enforcer "yarn-acl"

Re: Want to enable Ranger Security for Yarn Policy

New Contributor

Hi,

Just wanted to follow up on this post. I'm facing the same issue as I have setup Ranger policy for groups when submitting spark jobs. However, every user that submits a spark job, regardless of policy they are assigned to in Ranger, goes to spark queue since my yarn.spark.queue=spark

Here's my current setup as well:

yarn.acl.enable=true

ranger.add-yarn-authorization=false

Please help.

Thank you.