Updated on 2024-10-09 GMT+08:00

Adding a Ranger Access Permission Policy for Yarn

Scenario

Ranger administrators can use Ranger to configure YARN administrator permissions for YARN users, allowing them to manage YARN queue resources.

Prerequisites

  • The Ranger service has been installed and is running properly.
  • You have created users, user groups, or roles for which you want to configure permissions.

Procedure

  1. Log in to FusionInsight Manager and choose Cluster > Services > Yarn.
  2. On the page that is displayed, click the Configuration tab then the All Configurations sub-tab. On this sub-tab page, search for the yarn.acl.enable parameter, and change its value to true. If the value is true, no further action is required.

    Figure 1 Configuring yarn.acl.enable

  3. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI.
  4. On the home page, click the component plug-in name in the YARN area, for example, Yarn.
  5. Click Add New Policy to add a Yarn permission control policy.
  6. Configure the parameters listed in the table below based on the service demands.

    Table 1 Yarn permission parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    Queue

    Queue name. The wildcard (*) is supported.

    To enable a sub-queue to inherit the permission of its upper-level queue, enable the recursion function.

    • Non-recursive: recursion disabled
    • Recursive: recursion enabled

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Allow Conditions

    Policy allowed condition. You can configure permissions and exceptions allowed by the policy.

    In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add the corresponding permission.

    • submit-app: permission to submit queue tasks
    • admin-queue: permission to manage queue tasks
    • Select/Deselect All: Select or deselect all.

    If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.

    To add multiple permission control rules, click . To delete a permission control rule, click .

    Exclude from Allow Conditions: policy exception conditions

    Deny All Other Accesses

    Whether to reject all other access requests.

    • True: All other access requests are rejected.
    • False: Deny Conditions can be configured.

    Deny Conditions

    Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is similar to that of Allow Conditions. The priority of Deny Conditions is higher than that of allowed conditions configured in Allow Conditions.

    Exclude from Deny Conditions: exception rules excluded from the denied conditions

    Table 2 Setting permissions

    Task

    Role Authorization

    Setting the Yarn administrator permission

    1. On the home page, click the component plug-in name in the YARN area, for example, Yarn.
    2. Select the policy whose Policy Name is all - queue and click to edit the policy.
    3. In the Allow Conditions area, select a user from the Select User drop-down list.

    Setting the permission for a user to submit tasks in a specified Yarn queue

    1. In Queue, specify a queue name.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select submit-app.

    Setting the permission for a user to manage tasks in a specified Yarn queue

    1. In Queue, specify a queue name.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select admin-queue.

  7. (Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click . To delete a policy validity period, click .
  8. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

    To disable a policy, click to edit the policy and set the policy to Disabled.

    If a policy is no longer used, click to delete it.

The permissions on Ranger Yarn are independent of each other. There is inclusion relationship among the permissions. Currently, the following permissions are supported:

  • submit-app: permission to submit queue tasks
  • admin-queue: permission to manage queue tasks

Although the admin-queue has the permission to submit tasks, it does not have the inclusion relationship with the submit-app permission.