01-17-2019 07:52 AM
I was discussing this issue internally and adding "dr.who" to the adminACL has the side effect of allowing all users to have access, so we don't want that. I know we're on the right track here, we just need to get the correct user or group added to the adminACL for CM. I'm researching and will update as soon as I have the answer!
01-18-2019 08:27 AM
I've found that CM uses the "hue" user to interact with the YARN API, so try changing the root level ACL to be "aclAdministerApps=maziyar,admin,hue", refresh the Dynamic Resource Pool (DRP) configuration, and test if it still resolves the issue for you. This will be much more restricted than using "dr.who" but allow the CM Web UI to function properly.
01-18-2019 09:22 AM
01-21-2019 11:15 AM
I'm digging in to this again. I clearly see messages in the RM log showing "dr.who" is the user accessing the YARN API. I'm researching further so I hopefully can provide the correct answer!
01-25-2019 08:45 AM - edited 01-25-2019 09:00 AM
The information I had about user "hue" being used by CM to access YARN API is correct for kerberized clusters, but in your case we know that the cluster is not kerberized and we see "dr.who" is used by CM. Consequently, I think that adding "dr.who" to the aclAdminsterApps property is the only solution for now.
I am creating an internal improvement request for Cloudera Manager (CM) to also use the use "hue" if ACLs are turned on in a non-kerberized cluster. That way the behavior will be consistent and will provide some level of restriction on who can administer queues in a non-kerberized environment.
EDIT: Internal Improvement JIRA created for CM - look for this change in a future release of CDH (no guarantees, but I hope we implement this change)