Support Questions

Find answers, ask questions, and share your expertise

Want to enable Ranger Security for Yarn Policy

Rising Star

HDP 2.6.1
I have enabled Ranger Security for yarn policy using below steps:

Configure YARN to use only Ranger ACLs (i.e ignore YARN ACLs)
Ambari > YARN > Custom ranger-yarn-security > add below property and restart YARN
ranger.add-yarn-authorization = false
I have tested to scenarios:
Scenario I:
yarn.acl.enable = true
ranger.add-yarn-authorization = false 
-->Only Ranger ACL are applied

Scenario II:

yarn.acl.enable = false
-->Both YARN Acl & Ranger ACL are invalid

when we set yarn.acl.enable = false, yarn acl and ranger acl are invalid(lose efficiency).I don't know why.


Super Collaborator

Hi Pravin,

I my case this setting on Ambari > Yarn > Config > Scheduler was vital:

yarn.scheduler.capacity.root.acl_submit_applications=       (<--- there is a space there as value !! )

Explanation can be read here:

Basically since this baseline authorization is not disabled by default, anyone can just submit any job in Yarn by default. Also since all child queue inherit this auth from the root parent submitting app is very tolerant if you don't restrict it.

After I had done this, I finally started to see my Yarn Ranger policies kicking in and also many DENIED results on SUBMIT_APP on Ranger audit based on Access Enforcer "yarn-acl"


Just wanted to follow up on this post. I'm facing the same issue as I have setup Ranger policy for groups when submitting spark jobs. However, every user that submits a spark job, regardless of policy they are assigned to in Ranger, goes to spark queue since my yarn.spark.queue=spark

Here's my current setup as well:



Please help.

Thank you.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.