Posts: 9
Registered: ‎02-03-2016
Accepted Solution

YARN with ACL - unable to view logs from RM webconsole



We are currently experimenting with ACLs on YARN pools.


Our goal is to have:

  1. a pool for each application where only the authorized user can submit jobs
  2. a group of users for each pool that can view application history and logs


I'm using the following fair-scheduler.xml file (generated with Cloudera Manager):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <queue name="root">
        <queue name="appA">
            <aclSubmitApps>appA developersA</aclSubmitApps>
            <aclAdministerApps>appA developersA</aclAdministerApps>
        <queue name="appB">
            <aclSubmitApps>appB developersB</aclSubmitApps>
            <aclAdministerApps>appB developersB</aclAdministerApps>


For the point 1. (pool access only by app user) everything works fine, but I can't get to find a working configuration for point 2: for example if user devA (in group developersA) tries to view the logs for an application launched in appA get always the following error (in JH web console):


User [devA] is not authorized to view the logs for container_1469609032080_0001_01_000001 in log file


Any suggestion? Is this the intended behaviour or am I missing something?


Our cluster specs/settings:

  • yarn.acl.enable = true
  • yarn.admin.acl = "yarn clusterAdminGroup"
  • CDH 5.7
  • Kerberos authentication
  • YARN web interface also using Kerberos authentication

Thank you,

Cloudera Employee
Posts: 55
Registered: ‎03-07-2016

Re: YARN with ACL - unable to view logs from RM webconsole

If you are referring to MapReduce Job History Server by JH, JHS has its own job ACL control. If a MR job is configured with 

mapreduce.job.acl-view-job = {users you want to allow to view the job, see mapred-default.xml for details on format}

Then JHS will allow the specified user to view the job.