Support Questions

pbhagade · ‎10-18-2017

HDP 2.6.1
I have enabled Ranger Security for yarn policy using below steps:

Configure YARN to use only Ranger ACLs (i.e ignore YARN ACLs)
Ambari > YARN > Custom ranger-yarn-security > add below property and restart YARN 
ranger.add-yarn-authorization = false

I have tested to scenarios:
Scenario I:

yarn.acl.enable = true
ranger.add-yarn-authorization = false 
-->Only Ranger ACL are applied

Scenario II:

yarn.acl.enable = false
ranger.add-yarn-authorization=false 
-->Both YARN Acl & Ranger ACL are invalid

when we set yarn.acl.enable = false, yarn acl and ranger acl are invalid(lose efficiency).I don't know why.

jknulst · ‎01-17-2018

Hi Pravin,

I my case this setting on Ambari > Yarn > Config > Scheduler was vital:

yarn.scheduler.capacity.root.acl_submit_applications=       (<--- there is a space there as value !! )

Explanation can be read here:

https://community.hortonworks.com/content/supportkb/49101/capacity-scheduler-users-can-submit-to-any...

Basically since this baseline authorization is not disabled by default, anyone can just submit any job in Yarn by default. Also since all child queue inherit this auth from the root parent submitting app is very tolerant if you don't restrict it.

After I had done this, I finally started to see my Yarn Ranger policies kicking in and also many DENIED results on SUBMIT_APP on Ranger audit based on Access Enforcer "yarn-acl"

ivonnycapilitan · ‎10-19-2018

Hi,

Just wanted to follow up on this post. I'm facing the same issue as I have setup Ranger policy for groups when submitting spark jobs. However, every user that submits a spark job, regardless of policy they are assigned to in Ranger, goes to spark queue since my yarn.spark.queue=spark

Here's my current setup as well:

yarn.acl.enable=true

ranger.add-yarn-authorization=false

Please help.

Thank you.

Support Questions

Want to enable Ranger Security for Yarn Policy