Cloudera Docs

Configuring access to Hive on YARN

By default, access to Hive and YARN by unauthorized users is not allowed. You also cannot run unauthorized workloads on YARN. You need to know how to give end users and workloads the access rules necessary for querying Hive workloads in YARN queues.

You must configure the following access to query Hive workloads on YARN:
  • Allow the end user to access Hive
  • Allow the Hive workload on YARN
  • Allow the end user to access YARN

Follow the steps in this topic to configure Hive and YARN for end users to access Hive on YARN.

  1. In Cloudera Manager, click Clusters > Hive on Tez > Configuration and search for hive.server2.enable.doAs.
  2. Set the value of doas to false. Uncheck Hive (Service-Wide) to disable impersonation.
    For more information about configuring doas, see "Enabling or disabling impersonation".
    Save changes.
  3. In Cloudera Manager, click Clusters > Hive > Configuration.
  4. Search for the Hive Service Advanced Configuration Snippet (Safety Valve) for hive-site.xml setting.
  5. In the Hive Service Advanced Configuration Snippet (Safety Valve) for hive-site.xml setting, click +.
  6. Add the properties and values to allow the Hive workload on YARN. 
    Property: hive.server2.tez.initialize.default.sessions Value: false
Property: hive.server2.tez.queue.access.check Value: true
Property: hive.server2.tez.sessions.custom.queue.allowed Value: true
    For more information about allowing the Hive workload on YARN, see "Configuring HiveServer for ETL using YARN queues".
    Save changes.
  7. In Cloudera Manager, click Clusters > YARN > Configuration, and search for ResourceManager Advanced Configuration Snippet (Safety Valve) for yarn-site.xml.
  8. Set properties and values to allow the end user to access YARN using placement rules. 
    Name: yarn.resourcemanager.application-tag-based-placement.enable Value: true 
Name: yarn.resourcemanager.application-tag-based-placement.username.whitelist Value: < Comma separated list of users who can use the application tag based placement.>
    For more information about allowing end user access to YARN, see "Configure queue mapping to use the user name from the application tag using Cloudera Manager".
    Save changes.
  9. Restart ResourceManager.
    End users you specified can now query Hive workloads in YARN queues.