Managing YARN queue users

To manage users of secure YARN queues, you need to know how to configure impersonation for the security model you select.

To allow access to YARN queues, as Administrator, you configure HiveServer user impersonation, and another property or not, depending on your security: Ranger or security-based authorization (SBA). In either case, to manage YARN queues, you need the following behavior:

User submits the query through HiveServer (HS2) to the YARN queue
Tez app starts for the user
Access to the YARN queue is checked for this user.
As administrator, you can allocate resources to different users.

Managing YARN queues under Ranger

When you use Ranger, you configure HiveServer not to use impersonation (doas=false). HiveServer authorizes only the hive user, not the connected end user, to access Hive tables and YARN queues unless you also configure the following parameter:

hive.server2.tez.queue.access.check=true

Managing YARN queues under SBA

As administrator, if you do not use the recommended Ranger security, you simply enable the doAs impersonation (doas=true) parameter to use SBA. This action also causes HiveServer to authorize the connected user who issued the query to access YARN queues while running the Tez application as the hive user.