Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

service level authorisation

Solved Go to solution
Highlighted

service level authorisation

Contributor

What are the consequencs/ disadvantages setting hadoop.security.authorization to true? why its by default set to false.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: service level authorisation

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

View solution in original post

6 REPLIES 6
Highlighted

Re: service level authorisation

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

View solution in original post

Highlighted

Re: service level authorisation

Contributor

users list should be pulled from KDC ?

Highlighted

Re: service level authorisation

Contributor

instead of all users, can we restrict to confined users and the list should be pulled from KDC ?

Highlighted

Re: service level authorisation

Not sure what you mean with "confined" users and pulled from KDC. Its just the hadoop (linux) users/groups you want to give access to these services. For example if you have a linux group hadoopadmins who should be able to run these services you would specify them. KDC principals are mapped to linux users by Hadoop using the authtolocal rules.

Normally the linux users will come from LDAP/AD but that does not have to be the case.

Highlighted

Re: service level authorisation

Contributor

@Benjamin Leonhardi Thank you Benjamin for your explanation.

Re: service level authorisation

Expert Contributor

@Benjamin Leonhardi

Can you help me with working demo of enabling service level authorization for yarn.

I have followed the steps in https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl... but it is not working.

I can run yarn jobs from any user irrespective of the acl settings. I need this in HDP 2.3.4.0 with Ambari 2.2.0

Don't have an account?
Coming from Hortonworks? Activate your account here