ramackri opened a new pull request, #1039: URL: https://github.com/apache/ranger/pull/1039
## Summary Fixes three upstream gaps that prevent the Ranger YARN plugin from installing and running correctly on Hadoop 3.x when using the standard plugin tarball and `enable-yarn-plugin.sh` workflow. - **Add `plugin-yarn/template/configuration.xml`** — `plugin-yarn.xml` assembly already references `plugin-yarn/template/` for `install/conf.templates/default`, but the directory was never committed. Without it, the assembled tarball can be incomplete and `enable-yarn-plugin.sh` may fail before writing YARN security/audit configuration. - **Fix YARN lib path in `enable-agent.sh`** — YARN was grouped with HDFS and plugin jars were installed under `share/hadoop/hdfs/lib`. ResourceManager and NodeManager load from `share/hadoop/yarn/lib`, so the authorizer was not wired correctly even when enable appeared to succeed. - **Align `plugin-yarn.xml` impl packaging with HDFS agent** — add `slf4j-api` to the `ranger-yarn-plugin-impl` module set (same as `hdfs-agent.xml`) for consistent child-first classloader behavior. Related Jira: https://issues.apache.org/jira/browse/RANGER-5660 ## Changes | File | Change | |------|--------| | `plugin-yarn/template/configuration.xml` | New empty Hadoop-style template for assembly `conf.templates/default` | | `agents-common/scripts/enable-agent.sh` | Install YARN plugin jars to `share/hadoop/yarn/lib` (separate from HDFS) | | `distro/src/main/assembly/plugin-yarn.xml` | Include `slf4j-api` in `ranger-yarn-plugin-impl` dependency set | ## Manual testing Tested on a Hadoop 3.4.x Kerberos docker stack with `yarn.authorization-provider` set to `org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer`. 1. **Build** — `mvn package -Pranger-yarn-plugin` (distro assembly) completed successfully. 2. **Tarball packaging** — assembled `ranger-*-yarn-plugin.tar.gz` contains `install/conf.templates/enable/` XML/CFG files and `install/conf.templates/default/configuration.xml`. 3. **Plugin enable** — `./enable-yarn-plugin.sh` completed without error; `ranger-yarn-security.xml` and `ranger-yarn-audit.xml` were written to Hadoop conf. 4. **Lib path** — plugin shim, classloader, and `ranger-yarn-plugin-impl` are present under `share/hadoop/yarn/lib` (not only under `hdfs/lib`). 5. **Jackson versions** — `ranger-yarn-plugin-impl` contains Jackson 2.17 jars only (no mixed 2.12 artifacts after a clean build). 6. **ResourceManager** — YARN ResourceManager started and stayed healthy; `curl http://localhost:8088/ws/v1/cluster/info` returned HTTP 200. 7. **Authorization** — Tez/Hive workload submission exercised YARN RM with the Ranger authorizer enabled; cluster scheduling behaved as expected under existing Ranger policies. ## Test plan - [ ] `mvn package -Pranger-yarn-plugin` produces tarball with `install/conf.templates/enable/` and `install/conf.templates/default/configuration.xml` - [ ] `./enable-yarn-plugin.sh` installs jars under `share/hadoop/yarn/lib` - [ ] YARN ResourceManager starts with `RangerYarnAuthorizer` configured - [ ] No regression in HDFS plugin enable (`share/hadoop/hdfs/lib` unchanged for HDFS) Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
