Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3282

[Ranger Yarn Audits] No ranger audit are generated for yarn-acl fallback if all ranger policies are disabled

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Information Provided
    • 2.2.0
    • None
    • audit, plugins, Ranger
    • None

    Description

      Issue Description:

      • Observed that if all the ranger yarn policies are disabled in a CDP environment, and we try to submit any yarn application which is allowed via yarn-acl.
      • There is no ranger audit generated for this.

      [Looks like we should have at least one ranger yarn policy matching the resource or yarn queue for audit to be generated]

       

      Expectation:

      • I think for yarn-acl fallback we should always generate audit entry irrespective of ranger yarn policy presence.

       

      Steps to repro the issue:

      • Disable all yarn ranger policies.
      • Submit yarn app in default queue [by default yarn acl allow everyone to submit the app in default queue]
      • /opt/cloudera/parcels/CDH/bin/hadoop jar /opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-examples.jar pi -Dmapred.job.queue.name=default 2 2
      • Observe ranger audits for the above operation.

      Attachments

        Activity

          People

            Unassigned Unassigned
            Shukla Abhishek Shukla
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: