This topic describes how to integrate YARN with Ranger. This topic also describes
how to configure the required permissions.
Prerequisites
A cluster of E-MapReduce (EMR) V3.34.0 or a later minor version, or EMR V4.8.0 or
a later minor version is created, and Ranger is selected from the list of optional
services when you create the cluster. For more information, see Create a cluster.
Background information
If YARN is integrated with Ranger, you can use Ranger to configure permissions only
on scheduler queues. Permissions on fair queues cannot be configured. The permissions
that you configured on YARN queues by using Ranger and the Capacity Scheduler configurations
of YARN take effect at the same time. The following figure shows the authentication
process.
Integrate YARN with Ranger
Important When you perform the following steps, make sure that no YARN jobs are submitted in
the cluster. After you enable YARN in Ranger, you must grant the users who need to
submit YARN jobs the permissions on the required queues. Otherwise, the users cannot
submit YARN jobs.
- Enable YARN in Ranger.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the left-side navigation pane, choose .
- On the page that appears, select EnabledYARN from the Actions drop-down list in the upper-right corner.
- In the Cluster Activities dialog box, configure the Description parameter and click OK.
- In the Confirm message, click OK.
- In the Cluster Activities dialog box, configure the Description parameter and click OK.
- In the Confirm message, click OK.
- Click History in the upper-right corner to view the task progress.
- Add the YARN service on the web UI of Ranger.
- Log on to Ranger. For more information, see Overview.
- On the Ranger web UI, click the icon in the row in which YARN is located to add the YARN service.
- Configure the parameters.
Parameter |
Description |
Service Name |
The value is fixed as emr-yarn.
|
Username |
The value is fixed as hadoop.
|
Password |
Enter a password based on your business requirements. |
Authentication Type |
- Select Simple for a common cluster.
- Select Kerberos for a high-security cluster.
|
YARN REST URL |
Enter http://emr-header-1:8088.
|
Add New Configurations |
- Add the policy.download.auth.users parameter and set the parameter to yarn.
- Add the hadoop.http.user.name parameter and set the parameter to hadoop.
|
- Click Add.
- Restart YARN ResourceManager.
- On the YARN service page of the cluster, select Restart ResourceManager from the Actions drop-down list in the upper-right corner.
- In the Cluster Activities dialog box, configure the Description parameter and click OK.
- In the Confirm message, click OK.
- In the Cluster Activities dialog box, configure the Description parameter and click OK.
- In the Confirm message, click OK.
- Click History in the upper-right corner to view the task progress.
- Modify the configurations of Capacity Scheduler.
- On the YARN service page of the cluster, click the Configure tab.
- In the Service Configuration section, click the capacity-scheduler tab.
- Modify the content in the xml-direct-to-file-content field.
Note We recommend that you copy the content in the xml-direct-to-file-content field to a text editor to modify the content.
- Delete the following content:
<property>
<name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
<value>*</value>
<description>The ACL of who can submit jobs to the default queue.</description>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
<value>*</value>
<description>The ACL of who can administer jobs on the default queue.</description>
</property>
- Add the following content:
<property>
<name>yarn.scheduler.capacity.root.acl_submit_applications</name>
<value> </value>
<description>The ACL of who can submit jobs to the root queue.</description>
</property>
<property>
<name>yarn.scheduler.capacity.root.acl_administer_queue</name>
<value> </value>
<description>The ACL of who can administer jobs on the root queue.</description>
</property>
Note In the preceding content, a space exists between <value> and </value>. This indicates
that no user can submit jobs to the root queue or manage the root queue.
- Save the configurations.
- In the upper-right corner of the Configure tab, click Save.
- In the Confirm Changes dialog box, configure the Description parameter and turn on Auto-update Configuration.
- Click OK.
- Refresh queues.
- On the YARN service page of the cluster, select Refresh Queues from the Actions drop-down list in the upper-right corner.
- In the Cluster Activities dialog box, configure the Description parameter and click OK.
- In the Confirm message, click OK.
- In the Cluster Activities dialog box, configure the Description parameter and click OK.
- In the Confirm message, click OK.
- Click History in the upper-right corner to view the task progress.
Configure permissions
To grant a user the permissions to submit a job to the default queue, perform the
following steps. In this example, the tset user is used.
- Log on to Ranger. For more information, see Overview.
- Click emr-yarn.
- Click Add New Policy in the upper-right corner.
- Configure permissions on YARN queues.
Parameter |
Description |
Policy Name |
The name of the policy. You can specify a custom name. |
Queue |
The name of a queue, such as root.default. |
recursive |
Specifies whether a subqueue inherits the same permissions. |
Select Group |
The user group to which you want to attach the policy. |
Select User |
The user to whom you want to attach the policy, such as test. |
Permissions |
The permissions that you want to grant. |
- Click Add.
After the policy is added, the test user is granted the permissions. The test user
can submit jobs to the default queue.
Note After you add, remove, or modify a policy, it takes about one minute for the configuration
to take effect.