HDFS ACL permissions and YARN queues

As administrator, you must understand the permissions model supported in CDP Private Cloud Base and later. If you do not use Ranger for security, you need to add users to an HDFS access control list to permit access to the Hive warehouse for running DML queries.

Hive 3 supports the HDFS access control model instead of the past Hive permission inheritance based on the hive.warehouse.subdir.inherit.perms parameter setting. In Hive 3, a directory inherits permissions from the Default ACL.

Managing YARN queues

To manage YARN queues, you configure Hive user impersonation, and another property or not, depending on your security: Ranger or security-based authorization (SBA). In either case, to manage YARN queues, you need the following behavior:
  • User submits the query through HiveServer (HS2) to the YARN queue
  • Tez app starts for the user
  • Access to the YARN queue is checked for this user.

    As administrator, you can allocate resources to different users.

Configure services for this behavior, as described below:

Ranger

When you enable Ranger, you disable user impersonation (doAs=false). This is the Hive default and Ranger is the recommended security model.

In Cloudera Manager, click Hive > Configuration and search for (hive.server2.enable.doAs).

Uncheck Hive (Service-Wide) to disable impersonation (doAs=true).

With no impersonation, HiveServer authorizes only the hive user to access Hive tables and YARN queues unless you also configure the following parameter:

hive.server2.tez.queue.access.check=true

SBA

As administrator, if you do not use the recommended Ranger security, you simply enable the doAs impersonation parameter to use SBA: In Cloudera Manager, click Hive > Configuration and for HiveServer2 Enable Impersonation, check Hive (Service-Wide) to enable impersonation (doAs=true).

This action also causes HiveServer to authorize the original user who issued the query to access YARN queues while running the Tez application as the hive user.