Loïc, The lookup functionality in the ranger policy creation will allow you to select only the queues which are present in the cluster. If the configurations in ranger yarn service is correct this should work as expected and also serve as another alternative for this issue.
Thanks, Ramesh From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, September 7, 2016 at 1:07 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: User running job in forbidden queue Bosco, I think the audit log would have been a great indicator of my mistake, but another problem I have to work on is the fact that I haven't any audit logs but the ones in the Plugins tab ;-) This is what happen when you do not build the cluster yourself ;-) A possible improvement would be to prevent a user from creating a policy for a queue that doesn't exist. Tell me if it sounds feasible, and I'll create the corresponding Jira. Regards, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-06 18:40 GMT+02:00 Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>>: Hi Loïc Just curious, was the audit log helpful? I understand, this could be frustrating, so during the last couple of releases, in the audit logs, we have added more information to help admins understand which policy gave the permission to access (or deny). However, in your case, since it was denied, there might have been no policy, but the resource field should have given the resource name as "root.test". If not, we should look into this. Any suggestions to improve is welcomed... Thanks Bosco From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Tuesday, September 6, 2016 at 8:51 AM To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: User running job in forbidden queue And now I feel like a complete idiot because my actual problem was the fact that in Ranger policies I wrote "test" instead of "root.test". Sorry for the spam, then. Regards, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-06 11:22 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>>: Actually, I ran some further tests and the property ranger.add-yarn-authorization set to false in ranger-yarn-security seems to prevent anyone to run jobs in any queue as my user "test" cannot submit a job into "test" queue according to YARN. Anyone encountered the same issue ? FYI, I am using an HDP 2.4 stack. Regards, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-06 10:31 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>>: Hi all, I'm back on the Hadoop & Multi-tenancy topic and as I ran some tests I quite a big issue. Using Ranger to handle which user can submit job to which queue I authorized user "test" to submit jobs on queue "test" only - with the property ranger.add-yarn-authorization set to false in ranger-yarn-security. But even with these settings when user "test" submit a job it goes in the "default" queue - to which he shouldn't be able to submit jobs. Do you see what I miss here ? If not, do anyone knows how to turn on YARN Ranger plugin debug logs ? Thanks in advance for your inputs, Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France)
