Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

service level authorisation

avatar
Expert Contributor

What are the consequencs/ disadvantages setting hadoop.security.authorization to true? why its by default set to false.

1 ACCEPTED SOLUTION

avatar
Master Guru

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

View solution in original post

6 REPLIES 6

avatar
Master Guru

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

avatar
Expert Contributor

users list should be pulled from KDC ?

avatar
Expert Contributor

instead of all users, can we restrict to confined users and the list should be pulled from KDC ?

avatar
Master Guru

Not sure what you mean with "confined" users and pulled from KDC. Its just the hadoop (linux) users/groups you want to give access to these services. For example if you have a linux group hadoopadmins who should be able to run these services you would specify them. KDC principals are mapped to linux users by Hadoop using the authtolocal rules.

Normally the linux users will come from LDAP/AD but that does not have to be the case.

avatar
Expert Contributor

@Benjamin Leonhardi Thank you Benjamin for your explanation.

avatar
Super Collaborator

@Benjamin Leonhardi

Can you help me with working demo of enabling service level authorization for yarn.

I have followed the steps in https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl... but it is not working.

I can run yarn jobs from any user irrespective of the acl settings. I need this in HDP 2.3.4.0 with Ambari 2.2.0