This topic describes how to integrate YARN with Ranger. This topic also describes how to configure the required permissions.

Prerequisites

A cluster of E-MapReduce (EMR) V3.34.0 or a later minor version, or EMR V4.8.0 or a later minor version is created, and Ranger is selected from the list of optional services when you create the cluster. For more information, see Create a cluster.

Background information

If YARN is integrated with Ranger, you can use Ranger to configure permissions only on scheduler queues. Permissions on fair queues cannot be configured. The permissions that you configured on YARN queues by using Ranger and the Capacity Scheduler configurations of YARN take effect at the same time. The following figure shows the authentication process. YARN

Integrate YARN with Ranger

Important When you perform the following steps, make sure that no YARN jobs are submitted in the cluster. After you enable YARN in Ranger, you must grant the users who need to submit YARN jobs the permissions on the required queues. Otherwise, the users cannot submit YARN jobs.
  1. Enable YARN in Ranger.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
    6. On the page that appears, select EnabledYARN from the Actions drop-down list in the upper-right corner.
    7. In the Cluster Activities dialog box, configure the Description parameter and click OK.
    8. In the Confirm message, click OK.
      1. In the Cluster Activities dialog box, configure the Description parameter and click OK.
      2. In the Confirm message, click OK.
      3. Click History in the upper-right corner to view the task progress.
  2. Add the YARN service on the web UI of Ranger.
    1. Log on to Ranger. For more information, see Overview.
    2. On the Ranger web UI, click the Add icon in the row in which YARN is located to add the YARN service.
      YARN
    3. Configure the parameters.
      YARN
      Parameter Description
      Service Name The value is fixed as emr-yarn.
      Username The value is fixed as hadoop.
      Password Enter a password based on your business requirements.
      Authentication Type
      • Select Simple for a common cluster.
      • Select Kerberos for a high-security cluster.
      YARN REST URL Enter http://emr-header-1:8088.
      Add New Configurations
      • Add the policy.download.auth.users parameter and set the parameter to yarn.
      • Add the hadoop.http.user.name parameter and set the parameter to hadoop.
    4. Click Add.
  3. Restart YARN ResourceManager.
    1. On the YARN service page of the cluster, select Restart ResourceManager from the Actions drop-down list in the upper-right corner.
    2. In the Cluster Activities dialog box, configure the Description parameter and click OK.
    3. In the Confirm message, click OK.
      1. In the Cluster Activities dialog box, configure the Description parameter and click OK.
      2. In the Confirm message, click OK.
      3. Click History in the upper-right corner to view the task progress.
  4. Modify the configurations of Capacity Scheduler.
    1. On the YARN service page of the cluster, click the Configure tab.
    2. In the Service Configuration section, click the capacity-scheduler tab.
    3. Modify the content in the xml-direct-to-file-content field.
      Note We recommend that you copy the content in the xml-direct-to-file-content field to a text editor to modify the content.
      1. Delete the following content:
        <property>
  <name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
  <value>*</value>
  <description>The ACL of who can submit jobs to the default queue.</description>
</property>
<property>
  <name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
  <value>*</value>
  <description>The ACL of who can administer jobs on the default queue.</description>
</property>
      2. Add the following content:
        <property>
  <name>yarn.scheduler.capacity.root.acl_submit_applications</name>
  <value> </value>
  <description>The ACL of who can submit jobs to the root queue.</description>
</property>
<property>
  <name>yarn.scheduler.capacity.root.acl_administer_queue</name>
  <value> </value>
  <description>The ACL of who can administer jobs on the root queue.</description>
</property>
        Note In the preceding content, a space exists between <value> and </value>. This indicates that no user can submit jobs to the root queue or manage the root queue.
  5. Save the configurations.
    1. In the upper-right corner of the Configure tab, click Save.
    2. In the Confirm Changes dialog box, configure the Description parameter and turn on Auto-update Configuration.
    3. Click OK.
  6. Refresh queues.
    1. On the YARN service page of the cluster, select Refresh Queues from the Actions drop-down list in the upper-right corner.
    2. In the Cluster Activities dialog box, configure the Description parameter and click OK.
    3. In the Confirm message, click OK.
      1. In the Cluster Activities dialog box, configure the Description parameter and click OK.
      2. In the Confirm message, click OK.
      3. Click History in the upper-right corner to view the task progress.

Configure permissions

To grant a user the permissions to submit a job to the default queue, perform the following steps. In this example, the tset user is used.

  1. Log on to Ranger. For more information, see Overview.
  2. Click emr-yarn.
    Configure permissions on YARN queues
  3. Click Add New Policy in the upper-right corner.
  4. Configure permissions on YARN queues.
    Parameter Description
    Policy Name The name of the policy. You can specify a custom name.
    Queue The name of a queue, such as root.default.
    recursive Specifies whether a subqueue inherits the same permissions.
    Select Group The user group to which you want to attach the policy.
    Select User The user to whom you want to attach the policy, such as test.
    Permissions The permissions that you want to grant.
  5. Click Add.
    After the policy is added, the test user is granted the permissions. The test user can submit jobs to the default queue.
    Note After you add, remove, or modify a policy, it takes about one minute for the configuration to take effect.