Support Questions
Find answers, ask questions, and share your expertise

service level authorisation

Solved Go to solution

service level authorisation

Contributor

What are the consequencs/ disadvantages setting hadoop.security.authorization to true? why its by default set to false.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: service level authorisation

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

View solution in original post

6 REPLIES 6

Re: service level authorisation

If you enable it you also need to define ACLs for the different yarn services. I.e. define users and groups that can execute specific tasks. More details can be found here.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl...

View solution in original post

Re: service level authorisation

Contributor

users list should be pulled from KDC ?

Re: service level authorisation

Contributor

instead of all users, can we restrict to confined users and the list should be pulled from KDC ?

Re: service level authorisation

Not sure what you mean with "confined" users and pulled from KDC. Its just the hadoop (linux) users/groups you want to give access to these services. For example if you have a linux group hadoopadmins who should be able to run these services you would specify them. KDC principals are mapped to linux users by Hadoop using the authtolocal rules.

Normally the linux users will come from LDAP/AD but that does not have to be the case.

Re: service level authorisation

Contributor

@Benjamin Leonhardi Thank you Benjamin for your explanation.

Re: service level authorisation

Expert Contributor

@Benjamin Leonhardi

Can you help me with working demo of enabling service level authorization for yarn.

I have followed the steps in https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Enabl... but it is not working.

I can run yarn jobs from any user irrespective of the acl settings. I need this in HDP 2.3.4.0 with Ambari 2.2.0