By default, access to Hive and YARN by unauthorized users is not allowed. You also
cannot run unauthorized workloads on YARN. You need to know how to give end users and
workloads the access rules necessary for querying Hive workloads in YARN queues.
You must configure the following access to query Hive workloads on YARN:
- Allow the end user to access Hive
- Allow the Hive workload on YARN
- Allow the end user to access YARN
Follow the steps in this topic to configure Hive and YARN for end users to
access Hive on YARN.
-
In Cloudera Manager, click and search for
hive.server2.enable.doAs
.
-
Set the value of
doas
to false. Uncheck Hive (Service-Wide) to
disable impersonation.
For more information about configuring doas
, see "Enabling or
disabling impersonation".
Save changes.
-
Search for the Hive Service Advanced Configuration Snippet (Safety
Valve) for hive-site.xml setting.
-
In the Hive Service Advanced Configuration Snippet (Safety Valve)
for hive-site.xml setting, click .
-
Add
the properties and values to allow the Hive workload on YARN.
Name: hive.server2.tez.initialize.default.sessions Value: false
Name: hive.server2.tez.queue.access.check Value: true
Name: hive.server2.tez.sessions.custom.queue.allowed Value: true
For more information about allowing the Hive workload on YARN, see
"Configuring HiveServer for ETL using YARN queues".
Save changes.
-
In Cloudera Manager, click , and search for ResourceManager Advanced Configuration
Snippet (Safety Valve) for yarn-site.xml.
-
In the ResourceManager Advanced Configuration Snippet (Safety Valve)
for yarn-site.xml setting, click .
-
Add the properties and values to allow the end user to access YARN using
placement rules.
Name: yarn.resourcemanager.application-tag-based-placement.enable Value: true
Name: yarn.resourcemanager.application-tag-based-placement.username.whitelist Value: < Comma separated list of users who can use the application tag based placement.>
For more information about allowing end user access to YARN, see "Configure
queue mapping to use the user name from the application tag using Cloudera
Manager".
Save changes.
-
Restart the YARN ResourceManager service for the changes to apply.
End users you specified can now query Hive workloads in YARN
queues.