Bosco, I think the audit log would have been a great indicator of my mistake, but another problem I have to work on is the fact that I haven't any audit logs but the ones in the Plugins tab ;-) This is what happen when you do not build the cluster yourself ;-)
A possible improvement would be to prevent a user from creating a policy for a queue that doesn't exist. Tell me if it sounds feasible, and I'll create the corresponding Jira. Regards, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-06 18:40 GMT+02:00 Don Bosco Durai <bo...@apache.org>: > Hi Loïc > > > > Just curious, was the audit log helpful? I understand, this could be > frustrating, so during the last couple of releases, in the audit logs, we > have added more information to help admins understand which policy gave the > permission to access (or deny). > > > > However, in your case, since it was denied, there might have been no > policy, but the resource field should have given the resource name as > “root.test”. If not, we should look into this. > > > > Any suggestions to improve is welcomed… > > > > Thanks > > > > Bosco > > > > > > > > > > *From: *Loïc Chanel <loic.cha...@telecomnancy.net> > *Reply-To: *<user@ranger.incubator.apache.org> > *Date: *Tuesday, September 6, 2016 at 8:51 AM > *To: *<user@ranger.incubator.apache.org> > *Subject: *Re: User running job in forbidden queue > > > > And now I feel like a complete idiot because my actual problem was the > fact that in Ranger policies I wrote "test" instead of "root.test". > > Sorry for the spam, then. > > > > Regards, > > > > > > Loïc > > > Loïc CHANEL > System Big Data engineer > MS&T - WASABI - Worldline (Villeurbanne, France) > > > > 2016-09-06 11:22 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net>: > > Actually, I ran some further tests and the property > ranger.add-yarn-authorization > set to false in ranger-yarn-security seems to prevent anyone to run jobs in > any queue as my user "test" cannot submit a job into "test" queue according > to YARN. > > Anyone encountered the same issue ? > > > > FYI, I am using an HDP 2.4 stack. > > > > Regards, > > > > > > Loïc > > > Loïc CHANEL > System Big Data engineer > MS&T - WASABI - Worldline (Villeurbanne, France) > > > > 2016-09-06 10:31 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net>: > > Hi all, > > > > I'm back on the Hadoop & Multi-tenancy topic and as I ran some tests I > quite a big issue. > > Using Ranger to handle which user can submit job to which queue I > authorized user "test" to submit jobs on queue "test" only - with the > property ranger.add-yarn-authorization set to false in ranger-yarn-security. > > But even with these settings when user "test" submit a job it goes in the > "default" queue - to which he shouldn't be able to submit jobs. > > > > Do you see what I miss here ? > > If not, do anyone knows how to turn on YARN Ranger plugin debug logs ? > > > > Thanks in advance for your inputs, > > > > > > Loïc > > > Loïc CHANEL > System Big Data engineer > MS&T - WASABI - Worldline (Villeurbanne, France) > > > > >
