Managing YARN queue users

To manage users of secure YARN queues, you need to know how to configure impersonation for the security model you select.

To allow access to YARN queues, as Administrator, you configure HiveServer user impersonation, according to your security: Ranger or security-based authorization (SBA). If you use Ranger, you also need to configure hive.server2.tez.queue.access.check=true. In either case, to manage YARN queues, you need the following behavior:
  • User submits the query through HiveServer (HS2) to the YARN queue
  • Tez app starts for the user
  • Access to the YARN queue is checked for this user.

    As administrator, you can allocate resources to different users.

Managing YARN queues under Ranger

When you use Ranger, you configure HiveServer not to use impersonation (doas=false). HiveServer authorizes only the hive user, not the connected end user, to access Hive tables and YARN queues unless you also configure the following parameter:


Managing YARN queues under SBA

As administrator, if you do not use the recommended Ranger security, you simply enable the doAs impersonation (doas=true) parameter to use SBA. This action also causes HiveServer to authorize the connected user who issued the query to access YARN queues while running the Tez application as the hive user.