8. Using VectorH with Hadoop Security Systems : Configuring VectorH for Use with Apache Ranger : Access to YARN
 
Share this page                  
Access to YARN
VectorH must have access to the queue that is configured in the VectorH YARN_AM_QUEUE configuration parameter, typically "default".
The easiest way to achieve this is to keep the YARN-ACL fallback enabled and let YARN access control default to the existing YARN ACL permissions. If strict Ranger access control is desired, you must disable the fallback (YARN, Configs, Advanced, Custom ranger-yarn-security, ranger.add-yarn-authorization=false), and then define a suitable policy to allow VectorH access to the queue.
The policy for YARN in Ranger that is automatically created upon install typically gives access to all queues to a given list of users. Simply adding the actian user to that list will work, but will give VectorH more rights than it strictly needs. Defining a separate policy to give the actian user access to only the indicated queue would be a better security policy.
In its simplest form, such a policy could look like this:
Policy Name: Default Queue
Queue: root.default
User and Group Permissions
User: actian
Permissions: submit-app
Note:  This document only describes the changes specific to VectorH. For information on setting up a working Ranger configuration on a cluster, see the appropriate Hadoop documentation.