Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

service level authorisation

Labels:
avatar
author-rank garunkumar85
Expert Contributor

Created ‎01-28-2016 06:36 PM

What are the consequencs/ disadvantages setting hadoop.security.authorization to true? why its by default set to false.

2,700 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank bleonhardi
Master Guru

Created ‎01-28-2016 08:35 PM

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

View solution in original post

2,515 Views
6 REPLIES 6

avatar
author-rank bleonhardi
Master Guru

Created ‎01-28-2016 08:35 PM

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

2,516 Views

avatar
author-rank garunkumar85
Expert Contributor

Created ‎01-28-2016 09:01 PM

users list should be pulled from KDC ?

2,515 Views
0 Kudos

avatar
author-rank garunkumar85
Expert Contributor

Created ‎01-28-2016 09:02 PM

instead of all users, can we restrict to confined users and the list should be pulled from KDC ?

2,515 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎01-29-2016 10:02 AM

Not sure what you mean with "confined" users and pulled from KDC. Its just the hadoop (linux) users/groups you want to give access to these services. For example if you have a linux group hadoopadmins who should be able to run these services you would specify them. KDC principals are mapped to linux users by Hadoop using the authtolocal rules.

Normally the linux users will come from LDAP/AD but that does not have to be the case.

2,515 Views

avatar
author-rank garunkumar85
Expert Contributor

Created ‎01-29-2016 06:28 PM

@Benjamin Leonhardi Thank you Benjamin for your explanation.

2,515 Views
0 Kudos

avatar
author-rank rahulpathak109
Super Collaborator

Created ‎04-04-2016 01:26 PM

@Benjamin Leonhardi

Can you help me with working demo of enabling service level authorization for yarn.

I have followed the steps in https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl... but it is not working.

I can run yarn jobs from any user irrespective of the acl settings. I need this in HDP 2.3.4.0 with Ambari 2.2.0

2,515 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements