Step by step instructions to set up acls on the queue.
For Adding/removing queues, see:-
Setting up queue acls:
1. Enable yarn acl:
a. In Yarn -> Configs -> Advanced -> Resource Manager
Set yarn.acl.enable to true and Save.
b. Restart Yarn service.
2. Restrict the access on the “root” queue first. Child queues inherit the access configuration from the root queue. If this is not done, all users will be able to submit the jobs to the child queues.
On the YARN Queue Manager view instance configuration page,
a. Click on the “root” queue.
b. Under “Access Control and Status” -> Submit Applications -> Choose custom. Leave this blank.
c. Now click on the child queue.
d. Under “Access Control and Status” -> Submit Applications -> Choose custom -> In Users/Groups, enter the username.
e. Save and Refresh queue.
3. Notice that in capacity-scheduler config in Yarn -> Configs-> Advanced -> (Section below)
Two properties are changed:
a. yarn.scheduler.capacity.root.acl_submit_applications=
Note: A little about this, this is not blank in the config, there is a space at the end. If this property is removed from this config, this will reset the acl_submit_applications to * for root queue. If the parent queue uses the "*" (asterisk) value (or is not specified) to allow access to all users and groups, its child queues cannot restrict access.
b. yarn.scheduler.capacity.root.test.acl_submit_applications=hive
Confirming that ACL is set:
Now that acl is set, to confirm if acl is active for the user, login to linux terminal as hive user and run:
hadoop queue -showacls (This command is deprecated, but works)
mapred queue -showacls (Alternative command)
Output:
For hive user:
For any other user:
We can do similar for Administer queue. Restrict the access on the “root” queue first:
Under “Access Control and Status” -> Administer Queue -> Choose custom -> In Users/Groups, enter the username/groupname.
Now when you run mapred queue -showacls command, it will show access of all users like:
root:
hive:
yarn:
