I have enabled Ranger Security for yarn policy using below steps:
Configure YARN to use only Ranger ACLs (i.e ignore YARN ACLs)I have tested to scenarios:
Ambari > YARN > Custom ranger-yarn-security > add below property and restart YARN
ranger.add-yarn-authorization = false
yarn.acl.enable = true ranger.add-yarn-authorization = false -->Only Ranger ACL are applied
yarn.acl.enable = false ranger.add-yarn-authorization=false -->Both YARN Acl & Ranger ACL are invalid
when we set yarn.acl.enable = false, yarn acl and ranger acl are invalid(lose efficiency).I don't know why.
I my case this setting on Ambari > Yarn > Config > Scheduler was vital:
yarn.scheduler.capacity.root.acl_submit_applications= (<--- there is a space there as value !! )
Explanation can be read here:
Basically since this baseline authorization is not disabled by default, anyone can just submit any job in Yarn by default. Also since all child queue inherit this auth from the root parent submitting app is very tolerant if you don't restrict it.
After I had done this, I finally started to see my Yarn Ranger policies kicking in and also many DENIED results on SUBMIT_APP on Ranger audit based on Access Enforcer "yarn-acl"
Just wanted to follow up on this post. I'm facing the same issue as I have setup Ranger policy for groups when submitting spark jobs. However, every user that submits a spark job, regardless of policy they are assigned to in Ranger, goes to spark queue since my yarn.spark.queue=spark
Here's my current setup as well: