Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar

SYMPTOM: For a Capacity Scheduler queue that specifies some groups in its acl_submit_applications property, a user who is not a member of any of those groups is still able to submit jobs to the queue.

ROOT CAUSE: By default the root queue is allow-all, which results in all child queues defaulting to allow-all.

The acl_submit_applications property is described as:

The ACL which controls who can submit applications to the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can submit applications. ACLs for this property are inherited from the parent queue if not specified.

SOLUTION: Set the root queue to deny-all, by entering a "space" for the value. Then set who to allow in the ACL for each child queue. For example:
yarn.scheduler.capacity.root.acl_submit_applications= 
yarn.scheduler.capacity.root.default.acl_administer_jobs=appdev
yarn.scheduler.capacity.root.default.acl_submit_applications=appdev
yarn.scheduler.capacity.root.system.acl_administer_jobs=dbadmin
yarn.scheduler.capacity.root.system.acl_submit_applications=dbadmin
6,117 Views
Comments
avatar
Contributor

@Alex Miller

Am facing an issue, where irrespective of users defined for the queue all the users were able to run jobs in the queue. And i came across this article and tried to deny all users in root queue by entering space in root queue submit applications from 'Ambari Yarn queue manager' but in submit applications space character is not accepting. Could you kindly let us know, how to use space in submit_applications to deny access to users.