Hi Loïc
> A possible improvement would be to prevent a user from creating a policy for > a queue that doesn't exist. > Tell me if it sounds feasible, and I'll create the corresponding Jira. I am not sure this will work. One of Ranger flexible feature is to be able to create policies on resources which are not yet created. We could give validation options to verify if the resource is present or not. This could help in debugging. Thanks Bosco From: Loïc Chanel <loic.cha...@telecomnancy.net> Reply-To: <user@ranger.incubator.apache.org> Date: Wednesday, September 7, 2016 at 1:07 AM To: <user@ranger.incubator.apache.org> Subject: Re: User running job in forbidden queue Bosco, I think the audit log would have been a great indicator of my mistake, but another problem I have to work on is the fact that I haven't any audit logs but the ones in the Plugins tab ;-) This is what happen when you do not build the cluster yourself ;-) A possible improvement would be to prevent a user from creating a policy for a queue that doesn't exist. Tell me if it sounds feasible, and I'll create the corresponding Jira. Regards, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-06 18:40 GMT+02:00 Don Bosco Durai <bo...@apache.org>: Hi Loïc Just curious, was the audit log helpful? I understand, this could be frustrating, so during the last couple of releases, in the audit logs, we have added more information to help admins understand which policy gave the permission to access (or deny). However, in your case, since it was denied, there might have been no policy, but the resource field should have given the resource name as “root.test”. If not, we should look into this. Any suggestions to improve is welcomed… Thanks Bosco From: Loïc Chanel <loic.cha...@telecomnancy.net> Reply-To: <user@ranger.incubator.apache.org> Date: Tuesday, September 6, 2016 at 8:51 AM To: <user@ranger.incubator.apache.org> Subject: Re: User running job in forbidden queue And now I feel like a complete idiot because my actual problem was the fact that in Ranger policies I wrote "test" instead of "root.test". Sorry for the spam, then. Regards, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-06 11:22 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net>: Actually, I ran some further tests and the property ranger.add-yarn-authorization set to false in ranger-yarn-security seems to prevent anyone to run jobs in any queue as my user "test" cannot submit a job into "test" queue according to YARN. Anyone encountered the same issue ? FYI, I am using an HDP 2.4 stack. Regards, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-06 10:31 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net>: Hi all, I'm back on the Hadoop & Multi-tenancy topic and as I ran some tests I quite a big issue. Using Ranger to handle which user can submit job to which queue I authorized user "test" to submit jobs on queue "test" only - with the property ranger.add-yarn-authorization set to false in ranger-yarn-security. But even with these settings when user "test" submit a job it goes in the "default" queue - to which he shouldn't be able to submit jobs. Do you see what I miss here ? If not, do anyone knows how to turn on YARN Ranger plugin debug logs ? Thanks in advance for your inputs, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France)
