vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1859.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

112 lines
15 KiB
HTML
Raw Blame History

<a name="mrs_01_1859"></a><a name="mrs_01_1859"></a>
<h1 class="topictitle1">Adding a Ranger Access Permission Policy for Yarn</h1>
<div id="body1595917969961"><div class="section" id="mrs_01_1859__section1861148182711"><h4 class="sectiontitle">Scenario</h4><p id="mrs_01_1859__p757895715271">The <span id="mrs_01_1859__ph1389213457234">Ranger</span><span id="mrs_01_1859__ph733184682310"> </span>administrator can use Ranger to configure Yarn administrator permissions for Yarn users, allowing them to manage Yarn queue resources.</p>
</div>
<div class="section" id="mrs_01_1859__section11493172153315"><h4 class="sectiontitle">Prerequisites</h4><ul id="mrs_01_1859__ul5357197143515"><li id="mrs_01_1859__li735717193519">The Ranger service has been installed and is running properly.</li><li id="mrs_01_1859__li19563173342811">You have created users, user groups, or roles for which you want to configure permissions.</li></ul>
</div>
<div class="section" id="mrs_01_1859__section747294016257"><h4 class="sectiontitle">Procedure</h4><ol id="mrs_01_1859__ol1065893219380"><li id="mrs_01_1859__li13147231112419"><span>Log in to the Ranger management page.</span></li><li id="mrs_01_1859__li18658932173820"><span>On the home page, click the component plug-in name in the <strong id="mrs_01_1859__b1813318333219">YARN</strong> area, for example, <strong id="mrs_01_1859__b1313811313322">Yarn</strong>.</span></li><li id="mrs_01_1859__li1955384410387"><span>Click <strong id="mrs_01_1859__b078865193216">Add New Policy</strong> to add a Yarn permission control policy.</span></li><li id="mrs_01_1859__li139634483403"><span>Configure the parameters listed in the table below based on the service demands.</span><p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1859__table4469841184115" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Yarn permission parameters</caption><thead align="left"><tr id="mrs_01_1859__row2469841104115"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.3.2.4.2.1.2.3.1.1"><p id="mrs_01_1859__p846954194111">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="80%" id="mcps1.3.3.2.4.2.1.2.3.1.2"><p id="mrs_01_1859__p1346904194117">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1859__row1469174110419"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p1469114120417">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p1920572416251">Policy name, which can be customized and must be unique in the service.</p>
</td>
</tr>
<tr id="mrs_01_1859__row8934105744517"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p119259713409">Policy Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p9935105714451">IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, <strong id="mrs_01_1859__b12699152431314">192.168.1.10</strong>,<strong id="mrs_01_1859__b19699102491313">192.168.1.20</strong>, or <strong id="mrs_01_1859__b16699102481316">192.168.1.*</strong>.</p>
</td>
</tr>
<tr id="mrs_01_1859__row58471251202419"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p196910112228">Policy Label</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p5695112225">A label specified for the current policy. You can search for reports and filter policies based on labels.</p>
</td>
</tr>
<tr id="mrs_01_1859__row104697417417"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p1598819376474">Queue</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p371393301720">Queue name. The wildcard (*) is supported.</p>
<p id="mrs_01_1859__p1163519584118">To enable a sub-queue to inherit the permission of its upper-level queue, enable the recursion function.</p>
<ul id="mrs_01_1859__ul18956181511313"><li id="mrs_01_1859__li1395613151438"><strong id="mrs_01_1859__b0214113572019">Non-recursive</strong>: recursion disabled</li><li id="mrs_01_1859__li142609275313"><strong id="mrs_01_1859__b162111426208">Recursive</strong>: recursion enabled</li></ul>
</td>
</tr>
<tr id="mrs_01_1859__row1544711577252"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p15697173210192">Description</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p1869773261914">Policy description.</p>
</td>
</tr>
<tr id="mrs_01_1859__row12469141164113"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p898812379471">Audit Logging</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p18988437174719">Whether to audit the policy.</p>
</td>
</tr>
<tr id="mrs_01_1859__row29973720471"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p11995376471">Allow Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p18991137164717">Policy allowed condition. You can configure permissions and exceptions allowed by the policy.</p>
<p id="mrs_01_1859__p1819113143111">In the <strong id="mrs_01_1859__b12701326121320">Select Role</strong>, <strong id="mrs_01_1859__b197022601315">Select Group</strong>, and <strong id="mrs_01_1859__b11708263136">Select User</strong> columns, select the role, user group, or user to which the permission is to be granted, click <strong id="mrs_01_1859__b19713264136">Add Conditions</strong>, add the IP address range to which the policy applies, and click <strong id="mrs_01_1859__b171526201315">Add Permissions</strong> to add the corresponding permission.</p>
<ul id="mrs_01_1859__ul183931610151418"><li id="mrs_01_1859__li2039341013144">submit-app: permission to submit queue tasks</li><li id="mrs_01_1859__li691217172146">admin-queue: permission to manage queue tasks</li><li id="mrs_01_1859__li1247541184312">Select/Deselect All: Select or deselect all.</li></ul>
<p id="mrs_01_1859__p8404164411">If users or user groups in the current condition need to manage this policy, select <strong id="mrs_01_1859__b11787152219364">Delegate Admin</strong>. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.</p>
<p id="mrs_01_1859__p1455931125418">To add multiple permission control rules, click <span><img id="mrs_01_1859__image39121143141112" src="en-us_image_0000001296249680.png"></span>. To delete a permission control rule, click <span><img id="mrs_01_1859__image9311372338" src="en-us_image_0000001295930212.png"></span>.</p>
<p id="mrs_01_1859__p830416219359">Exclude from Allow Conditions: policy exception conditions</p>
</td>
</tr>
<tr id="mrs_01_1859__row16575436174"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p18715135417554">Deny All Other Accesses</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p144192211564">Whether to reject all other access requests.</p>
<ul id="mrs_01_1859__ul1869410255564"><li id="mrs_01_1859__li16941255562">True: All other access requests are rejected.</li><li id="mrs_01_1859__li1769402595615"><strong id="mrs_01_1859__b117741269219">False</strong>: <strong id="mrs_01_1859__b1477432622117">Deny Conditions</strong> can be configured.</li></ul>
</td>
</tr>
<tr id="mrs_01_1859__row899937184718"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.2.4.2.1.2.3.1.1 "><p id="mrs_01_1859__p5991537154719">Deny Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="80%" headers="mcps1.3.3.2.4.2.1.2.3.1.2 "><p id="mrs_01_1859__p1799337194719">Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is similar to that of <strong id="mrs_01_1859__b12774449153611">Allow Conditions</strong>. The priority of <strong id="mrs_01_1859__b712735617369">Deny Conditions</strong> is higher than that of allowed conditions configured in <strong id="mrs_01_1859__b213395615367">Allow Conditions</strong>.</p>
<p id="mrs_01_1859__p10996114819815">Exclude from Deny Conditions: exception rules excluded from the denied conditions</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1859__t5453ec62e4fa409ab89e13e8c65f7f7b" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Setting permissions</caption><thead align="left"><tr id="mrs_01_1859__r1b483aabcac2421b9e5c5dd1cd737521"><th align="left" class="cellrowborder" valign="top" width="26.26%" id="mcps1.3.3.2.4.2.2.2.3.1.1"><p id="mrs_01_1859__a28a08feb938144c698eb23b16aa72258">Task</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.74000000000001%" id="mcps1.3.3.2.4.2.2.2.3.1.2"><p id="mrs_01_1859__ad444bcbe25e84f17a7ebe278a43a323f">Role Authorization</p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1859__rb7a95f62aa9d4cc1bfbdf54340c3997d"><td class="cellrowborder" valign="top" width="26.26%" headers="mcps1.3.3.2.4.2.2.2.3.1.1 "><p id="mrs_01_1859__ae0370d9982834c21bd3fd01d37e8e519">Setting the Yarn administrator permission</p>
</td>
<td class="cellrowborder" valign="top" width="73.74000000000001%" headers="mcps1.3.3.2.4.2.2.2.3.1.2 "><ol type="a" id="mrs_01_1859__ol9811840103417"><li id="mrs_01_1859__li181731911404">On the home page, click the component plug-in name in the <strong id="mrs_01_1859__b10128637153811">YARN</strong> area, for example, <strong id="mrs_01_1859__b41471537143814">Yarn</strong>.</li><li id="mrs_01_1859__li13360163663816">Select the policy whose <strong id="mrs_01_1859__b59164387382">Policy Name</strong> is <strong id="mrs_01_1859__b1691723820381">all - queue</strong> and click <span><img id="mrs_01_1859__image262417334017" src="en-us_image_0000001296249684.png"></span> to edit the policy.</li><li id="mrs_01_1859__li1369322054013">In the <strong id="mrs_01_1859__b208971744113812">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1859__b189864423817">Select User</strong> drop-down list.</li></ol>
</td>
</tr>
<tr id="mrs_01_1859__r22bbd4ec3d1b4ad8b6bfc60fd3fc61e1"><td class="cellrowborder" valign="top" width="26.26%" headers="mcps1.3.3.2.4.2.2.2.3.1.1 "><p id="mrs_01_1859__a1cdc441186674095ab125a083daa694d">Setting the permission for a user to submit tasks in a specified Yarn queue</p>
</td>
<td class="cellrowborder" valign="top" width="73.74000000000001%" headers="mcps1.3.3.2.4.2.2.2.3.1.2 "><ol type="a" id="mrs_01_1859__o30e243cdf97449148c36d93dc1a03a37"><li id="mrs_01_1859__ld973a3178b874b2991a34724362edeaa">In <strong id="mrs_01_1859__b1292934711385">Queue</strong>, specify a queue name.</li><li id="mrs_01_1859__l90a887e837424d2e9d0e4edb5bc29030">In the <strong id="mrs_01_1859__b415717499384">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1859__b21592494383">Select User</strong> drop-down list.</li><li id="mrs_01_1859__la261edb792114984b435ac93df993a6c">Click <strong id="mrs_01_1859__b15741175153817">Add Permissions</strong> and select <strong id="mrs_01_1859__b17742175112383">submit-app</strong>.</li></ol>
</td>
</tr>
<tr id="mrs_01_1859__r3297e0a39f084a7ca7b97fda8d77b4f1"><td class="cellrowborder" valign="top" width="26.26%" headers="mcps1.3.3.2.4.2.2.2.3.1.1 "><p id="mrs_01_1859__af0e7fec78a8d49c4ad2c94f35ff679f9">Setting the permission for a user to manage tasks in a specified Yarn queue</p>
</td>
<td class="cellrowborder" valign="top" width="73.74000000000001%" headers="mcps1.3.3.2.4.2.2.2.3.1.2 "><ol type="a" id="mrs_01_1859__ob76d86eb5b2d489f9518f378477e71e1"><li id="mrs_01_1859__li12015397574">In <strong id="mrs_01_1859__b12455153816">Queue</strong>, specify a queue name.</li><li id="mrs_01_1859__li50173920570">In the <strong id="mrs_01_1859__b46066561385">Allow Conditions</strong> area, select a user from the <strong id="mrs_01_1859__b8608105643815">Select User</strong> drop-down list.</li><li id="mrs_01_1859__li170103912577">Click <strong id="mrs_01_1859__b1383012581388">Add Permissions</strong> and select <strong id="mrs_01_1859__b683217585387">admin-queue</strong>.</li></ol>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="mrs_01_1859__li1597218316195"><span>(Optional) Add the validity period of the policy. Click <strong id="mrs_01_1859__b8937738134813">Add Validity period</strong> in the upper right corner of the page, set <strong id="mrs_01_1859__b12943133817482">Start Time</strong> and <strong id="mrs_01_1859__b199446385486">End Time</strong>, and select <strong id="mrs_01_1859__b0944638184820">Time Zone</strong>. Click <strong id="mrs_01_1859__b1557215345214">Save</strong>. To add multiple policy validity periods, click <span><img id="mrs_01_1859__en-us_topic_0241932507_image15741956174617" src="en-us_image_0000001349089885.png"></span>. To delete a policy validity period, click <span><img id="mrs_01_1859__en-us_topic_0241932507_image9741115619467" src="en-us_image_0000001295770248.png"></span>.</span></li><li id="mrs_01_1859__li18337132412418"><span>Click <strong id="mrs_01_1859__b37111843122413">Add</strong> to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.</span><p><p id="mrs_01_1859__en-us_topic_0241932507_p63219632216">To disable a policy, click <span><img id="mrs_01_1859__en-us_topic_0241932507_image1876104732217" src="en-us_image_0000001348770069.png"></span> to edit the policy and set the policy to <strong id="mrs_01_1859__b6357154192112">Disabled</strong>.</p>
<p id="mrs_01_1859__en-us_topic_0241932507_p1156483182316">If a policy is no longer used, click <span><img id="mrs_01_1859__en-us_topic_0241932507_image79841567249" src="en-us_image_0000001295770252.png"></span> to delete it.</p>
</p></li></ol>
</div>
<div class="note" id="mrs_01_1859__n768c024de71e4be5a7ca11d780550475"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="textintable" id="mrs_01_1859__aeaaa930f124b470ca0f6c4f62ddfea8f">The permissions on Ranger Yarn are independent of each other. There is inclusion relationship among the permissions. Currently, the following permissions are supported:</p>
<ul id="mrs_01_1859__ul9651939795"><li id="mrs_01_1859__li9652123912915"><strong id="mrs_01_1859__b16389195214812">submit-app</strong>: permission to submit queue tasks</li><li id="mrs_01_1859__li865293917918"><strong id="mrs_01_1859__b179471855114812">admin-queue</strong>: permission to manage queue tasks</li></ul>
<p id="mrs_01_1859__p1957813107103">Although the <strong id="mrs_01_1859__b10875150154918">admin-queue</strong> has the permission to submit tasks, it does not have the inclusion relationship with the <strong id="mrs_01_1859__b17913181244919">submit-app</strong> permission.</p>
</div></div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_1849.html">Using Ranger (MRS 3.x)</a></div>
</div>
</div>
View Git Blame Copy Permalink