https://community.cloudera.com/t5/Archives-of-Support-Questions/YARN-with-ACL-unable-to-view-logs-from-RM-webconsole/m-p/43279#M36063 <P>If you are referring to MapReduce Job History Server by JH, JHS has its own job ACL control. If a MR job is configured with&nbsp;</P><PRE><SPAN>mapreduce.job.acl-view-job = {users you want to allow to view the job, see mapred-default.xml for details on format}</SPAN></PRE><P>Then JHS will allow the specified user to view the job.</P> Wed, 27 Jul 2016 16:44:43 GMT haibochen 2016-07-27T16:44:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/YARN-with-ACL-unable-to-view-logs-from-RM-webconsole/m-p/43268#M36062 <P>Hello,</P><P>&nbsp;</P><P>We are currently experimenting with ACLs on YARN pools.</P><P>&nbsp;</P><P>Our goal is to have:</P><OL><LI>a pool for each application where only the authorized user can submit jobs</LI><LI>a group of users for each pool that can view application history and logs</LI></OL><P>&nbsp;</P><P>I'm using the following fair-scheduler.xml file (generated with Cloudera Manager):</P><PRE>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt; &lt;allocations&gt; &lt;queue name="root"&gt; &lt;weight&gt;1.0&lt;/weight&gt; &lt;schedulingPolicy&gt;drf&lt;/schedulingPolicy&gt; &lt;aclSubmitApps&gt;&lt;/aclSubmitApps&gt; &lt;aclAdministerApps&gt;&lt;/aclAdministerApps&gt; &lt;queue name="appA"&gt; &lt;weight&gt;1.0&lt;/weight&gt; &lt;schedulingPolicy&gt;drf&lt;/schedulingPolicy&gt; &lt;aclSubmitApps&gt;appA developersA&lt;/aclSubmitApps&gt; &lt;aclAdministerApps&gt;appA developersA&lt;/aclAdministerApps&gt; &lt;/queue&gt; &lt;queue name="appB"&gt; &lt;weight&gt;1.0&lt;/weight&gt; &lt;schedulingPolicy&gt;drf&lt;/schedulingPolicy&gt; &lt;aclSubmitApps&gt;appB developersB&lt;/aclSubmitApps&gt; &lt;aclAdministerApps&gt;appB developersB&lt;/aclAdministerApps&gt; &lt;/queue&gt; &lt;/queue&gt; &lt;/allocations&gt;</PRE><P>&nbsp;</P><P>For the point 1. (pool access only by app user) everything works fine, but I can't get to find a working configuration for point 2: for example if user devA (in group developersA) tries to view the logs for an application launched in appA get always the following error (in JH web console):</P><P>&nbsp;</P><P><FONT face="courier new,courier">User [devA] is not authorized to view the logs for container_1469609032080_0001_01_000001 in log file</FONT></P><P>&nbsp;</P><P>Any suggestion? Is this the intended behaviour or am I missing something?</P><P>&nbsp;</P><P>Our cluster specs/settings:</P><UL><LI>yarn.acl.enable = true</LI><LI>yarn.admin.acl = "yarn clusterAdminGroup"</LI><LI>CDH 5.7</LI><LI>Kerberos authentication</LI><LI>YARN web interface also using Kerberos authentication</LI></UL><P><BR />Thank you,<BR />Bye</P> Fri, 16 Sep 2022 10:31:45 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/YARN-with-ACL-unable-to-view-logs-from-RM-webconsole/m-p/43268#M36062 parnigot 2022-09-16T10:31:45Z https://community.cloudera.com/t5/Archives-of-Support-Questions/YARN-with-ACL-unable-to-view-logs-from-RM-webconsole/m-p/43279#M36063 <P>If you are referring to MapReduce Job History Server by JH, JHS has its own job ACL control. If a MR job is configured with&nbsp;</P><PRE><SPAN>mapreduce.job.acl-view-job = {users you want to allow to view the job, see mapred-default.xml for details on format}</SPAN></PRE><P>Then JHS will allow the specified user to view the job.</P> Wed, 27 Jul 2016 16:44:43 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/YARN-with-ACL-unable-to-view-logs-from-RM-webconsole/m-p/43279#M36063 haibochen 2016-07-27T16:44:43Z