Details
Description
Issue Description:
- Observed that if all the ranger yarn policies are disabled in a CDP environment, and we try to submit any yarn application which is allowed via yarn-acl.
- There is no ranger audit generated for this.
[Looks like we should have at least one ranger yarn policy matching the resource or yarn queue for audit to be generated]
Expectation:
- I think for yarn-acl fallback we should always generate audit entry irrespective of ranger yarn policy presence.
Steps to repro the issue:
- Disable all yarn ranger policies.
- Submit yarn app in default queue [by default yarn acl allow everyone to submit the app in default queue]
/opt/cloudera/parcels/CDH/bin/hadoop jar /opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-examples.jar pi -Dmapred.job.queue.name=default 2 2
- Observe ranger audits for the above operation.