You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Abhishek Shukla (Jira)" <ji...@apache.org> on 2021/06/15 04:29:00 UTC
[jira] [Commented] (RANGER-3282) [Ranger Yarn Audits] No ranger
audit are generated for yarn-acl fallback if all ranger policies are
disabled
[ https://issues.apache.org/jira/browse/RANGER-3282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17363373#comment-17363373 ]
Abhishek Shukla commented on RANGER-3282:
-----------------------------------------
If there is a policy on a resource then an audit will be generated for that resource access. There can be a global audit policy which can generate audit too. But in this case, there is no such policy and hence there is no audit for the fallback also.
> [Ranger Yarn Audits] No ranger audit are generated for yarn-acl fallback if all ranger policies are disabled
> ------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-3282
> URL: https://issues.apache.org/jira/browse/RANGER-3282
> Project: Ranger
> Issue Type: Bug
> Components: audit, plugins, Ranger
> Affects Versions: 2.2.0
> Reporter: Abhishek Shukla
> Priority: Major
>
> *Issue Description:*
> - Observed that if all the ranger yarn policies are disabled in a CDP environment, and we try to submit any yarn application which is allowed via *yarn-acl*.
> - There is no ranger audit generated for this.
> [Looks like we should have at least one ranger yarn policy matching the resource or yarn queue for audit to be generated]
>
> *Expectation:*
> - I think for *yarn-acl* fallback we should always generate audit entry irrespective of ranger yarn policy presence.
>
> *Steps to repro the issue:*
> * Disable all yarn ranger policies.
> * Submit yarn app in default queue [by default yarn acl allow everyone to submit the app in default queue]
> *
> {code:java}
> /opt/cloudera/parcels/CDH/bin/hadoop jar /opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-examples.jar pi -Dmapred.job.queue.name=default 2 2{code}
> * Observe ranger audits for the above operation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)