Hi Bosco,
is there a guide or a best practice document for multi-tenancy ? Can I
really separate different use cases on the same cluster without any
security doubts?
Best regards,
Markus
Fiducia & GAD IT AG | www.fiduciagad.de
AG Frankfurt a. M. HRB 102381 | Sitz der Gesellschaft: Hahnstr. 48, 60528
Frankfurt a. M. | USt-IdNr. DE 143582320
Vorstand: Klaus-Peter Bruns (Vorsitzender), Claus-Dieter Toben (stv.
Vorsitzender),
Jens-Olaf Bartels, Martin Beyer, Jörg Dreinhöfer, Wolfgang Eckert, Carsten
Pfläging, Jörg Staff
Vorsitzender des Aufsichtsrats: Jürgen Brinkmann
Von: Don Bosco Durai <bo...@apache.org>
An: <user@ranger.incubator.apache.org>
Datum: 06.09.2016 18:41
Betreff: Re: User running job in forbidden queue
Hi Loïc
Just curious, was the audit log helpful? I understand, this could be
frustrating, so during the last couple of releases, in the audit logs, we
have added more information to help admins understand which policy gave the
permission to access (or deny).
However, in your case, since it was denied, there might have been no
policy, but the resource field should have given the resource name as
“root.test”. If not, we should look into this.
Any suggestions to improve is welcomed…
Thanks
Bosco
From: Loïc Chanel <loic.cha...@telecomnancy.net>
Reply-To: <user@ranger.incubator.apache.org>
Date: Tuesday, September 6, 2016 at 8:51 AM
To: <user@ranger.incubator.apache.org>
Subject: Re: User running job in forbidden queue
And now I feel like a complete idiot because my actual problem was the fact
that in Ranger policies I wrote "test" instead of "root.test".
Sorry for the spam, then.
Regards,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
2016-09-06 11:22 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net>:
Actually, I ran some further tests and the property
ranger.add-yarn-authorization set to false in ranger-yarn-security
seems to prevent anyone to run jobs in any queue as my user "test"
cannot submit a job into "test" queue according to YARN.
Anyone encountered the same issue ?
FYI, I am using an HDP 2.4 stack.
Regards,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
2016-09-06 10:31 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net
>:
Hi all,
I'm back on the Hadoop & Multi-tenancy topic and as I ran some
tests I quite a big issue.
Using Ranger to handle which user can submit job to which queue
I authorized user "test" to submit jobs on queue "test" only -
with the property ranger.add-yarn-authorization set to false in
ranger-yarn-security.
But even with these settings when user "test" submit a job it
goes in the "default" queue - to which he shouldn't be able to
submit jobs.
Do you see what I miss here ?
If not, do anyone knows how to turn on YARN Ranger plugin debug
logs ?
Thanks in advance for your inputs,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
