I will dig into that option, as it sounds what I missed. Thank you Ramesh.
Loïc Loïc CHANEL System Big Data engineer MS&T - WASABI - Worldline (Villeurbanne, France) 2016-09-07 21:15 GMT+02:00 Ramesh Mani <rm...@hortonworks.com>: > Loïc, > > The lookup functionality in the ranger policy creation will allow you to > select only the queues which are present in the cluster. If the > configurations in ranger yarn service is correct this should work as > expected and also serve as another alternative for this issue. > > Thanks, > Ramesh > > From: Loïc Chanel <loic.cha...@telecomnancy.net> > Reply-To: "user@ranger.incubator.apache.org" < > user@ranger.incubator.apache.org> > Date: Wednesday, September 7, 2016 at 1:07 AM > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > > Subject: Re: User running job in forbidden queue > > Bosco, > > I think the audit log would have been a great indicator of my mistake, but > another problem I have to work on is the fact that I haven't any audit logs > but the ones in the Plugins tab ;-) > This is what happen when you do not build the cluster yourself ;-) > > A possible improvement would be to prevent a user from creating a policy > for a queue that doesn't exist. > Tell me if it sounds feasible, and I'll create the corresponding Jira. > > Regards, > > > Loïc > > Loïc CHANEL > System Big Data engineer > MS&T - WASABI - Worldline (Villeurbanne, France) > > 2016-09-06 18:40 GMT+02:00 Don Bosco Durai <bo...@apache.org>: > >> Hi Loïc >> >> >> >> Just curious, was the audit log helpful? I understand, this could be >> frustrating, so during the last couple of releases, in the audit logs, we >> have added more information to help admins understand which policy gave the >> permission to access (or deny). >> >> >> >> However, in your case, since it was denied, there might have been no >> policy, but the resource field should have given the resource name as >> “root.test”. If not, we should look into this. >> >> >> >> Any suggestions to improve is welcomed… >> >> >> >> Thanks >> >> >> >> Bosco >> >> >> >> >> >> >> >> >> >> *From: *Loïc Chanel <loic.cha...@telecomnancy.net> >> *Reply-To: *<user@ranger.incubator.apache.org> >> *Date: *Tuesday, September 6, 2016 at 8:51 AM >> *To: *<user@ranger.incubator.apache.org> >> *Subject: *Re: User running job in forbidden queue >> >> >> >> And now I feel like a complete idiot because my actual problem was the >> fact that in Ranger policies I wrote "test" instead of "root.test". >> >> Sorry for the spam, then. >> >> >> >> Regards, >> >> >> >> >> >> Loïc >> >> >> Loïc CHANEL >> System Big Data engineer >> MS&T - WASABI - Worldline (Villeurbanne, France) >> >> >> >> 2016-09-06 11:22 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net>: >> >> Actually, I ran some further tests and the property >> ranger.add-yarn-authorization >> set to false in ranger-yarn-security seems to prevent anyone to run jobs in >> any queue as my user "test" cannot submit a job into "test" queue according >> to YARN. >> >> Anyone encountered the same issue ? >> >> >> >> FYI, I am using an HDP 2.4 stack. >> >> >> >> Regards, >> >> >> >> >> >> Loïc >> >> >> Loïc CHANEL >> System Big Data engineer >> MS&T - WASABI - Worldline (Villeurbanne, France) >> >> >> >> 2016-09-06 10:31 GMT+02:00 Loïc Chanel <loic.cha...@telecomnancy.net>: >> >> Hi all, >> >> >> >> I'm back on the Hadoop & Multi-tenancy topic and as I ran some tests I >> quite a big issue. >> >> Using Ranger to handle which user can submit job to which queue I >> authorized user "test" to submit jobs on queue "test" only - with the >> property ranger.add-yarn-authorization set to false in ranger-yarn-security. >> >> But even with these settings when user "test" submit a job it goes in the >> "default" queue - to which he shouldn't be able to submit jobs. >> >> >> >> Do you see what I miss here ? >> >> If not, do anyone knows how to turn on YARN Ranger plugin debug logs ? >> >> >> >> Thanks in advance for your inputs, >> >> >> >> >> >> Loïc >> >> >> Loïc CHANEL >> System Big Data engineer >> MS&T - WASABI - Worldline (Villeurbanne, France) >> >> >> >> >> > >
