ramackri opened a new pull request, #1039:
URL: https://github.com/apache/ranger/pull/1039

   ## Summary
   
   Fixes three upstream gaps that prevent the Ranger YARN plugin from 
installing and running correctly on Hadoop 3.x when using the standard plugin 
tarball and `enable-yarn-plugin.sh` workflow.
   
   - **Add `plugin-yarn/template/configuration.xml`** — `plugin-yarn.xml` 
assembly already references `plugin-yarn/template/` for 
`install/conf.templates/default`, but the directory was never committed. 
Without it, the assembled tarball can be incomplete and `enable-yarn-plugin.sh` 
may fail before writing YARN security/audit configuration.
   - **Fix YARN lib path in `enable-agent.sh`** — YARN was grouped with HDFS 
and plugin jars were installed under `share/hadoop/hdfs/lib`. ResourceManager 
and NodeManager load from `share/hadoop/yarn/lib`, so the authorizer was not 
wired correctly even when enable appeared to succeed.
   - **Align `plugin-yarn.xml` impl packaging with HDFS agent** — add 
`slf4j-api` to the `ranger-yarn-plugin-impl` module set (same as 
`hdfs-agent.xml`) for consistent child-first classloader behavior.
   
   Related Jira: https://issues.apache.org/jira/browse/RANGER-5660
   
   ## Changes
   
   | File | Change |
   |------|--------|
   | `plugin-yarn/template/configuration.xml` | New empty Hadoop-style template 
for assembly `conf.templates/default` |
   | `agents-common/scripts/enable-agent.sh` | Install YARN plugin jars to 
`share/hadoop/yarn/lib` (separate from HDFS) |
   | `distro/src/main/assembly/plugin-yarn.xml` | Include `slf4j-api` in 
`ranger-yarn-plugin-impl` dependency set |
   
   ## Manual testing
   
   Tested on a Hadoop 3.4.x Kerberos docker stack with 
`yarn.authorization-provider` set to 
`org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer`.
   
   1. **Build** — `mvn package -Pranger-yarn-plugin` (distro assembly) 
completed successfully.
   2. **Tarball packaging** — assembled `ranger-*-yarn-plugin.tar.gz` contains 
`install/conf.templates/enable/` XML/CFG files and 
`install/conf.templates/default/configuration.xml`.
   3. **Plugin enable** — `./enable-yarn-plugin.sh` completed without error; 
`ranger-yarn-security.xml` and `ranger-yarn-audit.xml` were written to Hadoop 
conf.
   4. **Lib path** — plugin shim, classloader, and `ranger-yarn-plugin-impl` 
are present under `share/hadoop/yarn/lib` (not only under `hdfs/lib`).
   5. **Jackson versions** — `ranger-yarn-plugin-impl` contains Jackson 2.17 
jars only (no mixed 2.12 artifacts after a clean build).
   6. **ResourceManager** — YARN ResourceManager started and stayed healthy; 
`curl http://localhost:8088/ws/v1/cluster/info` returned HTTP 200.
   7. **Authorization** — Tez/Hive workload submission exercised YARN RM with 
the Ranger authorizer enabled; cluster scheduling behaved as expected under 
existing Ranger policies.
   
   ## Test plan
   
   - [ ] `mvn package -Pranger-yarn-plugin` produces tarball with 
`install/conf.templates/enable/` and 
`install/conf.templates/default/configuration.xml`
   - [ ] `./enable-yarn-plugin.sh` installs jars under `share/hadoop/yarn/lib`
   - [ ] YARN ResourceManager starts with `RangerYarnAuthorizer` configured
   - [ ] No regression in HDFS plugin enable (`share/hadoop/hdfs/lib` unchanged 
for HDFS)
   
   
   Made with [Cursor](https://cursor.com)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to