Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)

Step by step instructions to set up acls on the queue.

For Adding/removing queues, see:-

https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.2.0/bk_ambari-views/content/ch_using_yarn_queue...

Setting up queue acls:

1. Enable yarn acl:

a. In Yarn -> Configs -> Advanced -> Resource Manager

Set yarn.acl.enable to true and Save.

b. Restart Yarn service.

2. Restrict the access on the “root” queue first. Child queues inherit the access configuration from the root queue. If this is not done, all users will be able to submit the jobs to the child queues.

On the YARN Queue Manager view instance configuration page,

a. Click on the “root” queue.

b. Under “Access Control and Status” -> Submit Applications -> Choose custom. Leave this blank.

c. Now click on the child queue.

d. Under “Access Control and Status” -> Submit Applications -> Choose custom -> In Users/Groups, enter the username.

e. Save and Refresh queue.

3. Notice that in capacity-scheduler config in Yarn -> Configs-> Advanced -> (Section below)

Two properties are changed:

a. yarn.scheduler.capacity.root.acl_submit_applications=

Note: A little about this, this is not blank in the config, there is a space at the end. If this property is removed from this config, this will reset the acl_submit_applications to * for root queue. If the parent queue uses the "*" (asterisk) value (or is not specified) to allow access to all users and groups, its child queues cannot restrict access.

b. yarn.scheduler.capacity.root.test.acl_submit_applications=hive

Confirming that ACL is set:

Now that acl is set, to confirm if acl is active for the user, login to linux terminal as hive user and run:

hadoop queue -showacls (This command is deprecated, but works)

mapred queue -showacls (Alternative command)

Output:

For hive user:

For any other user:

We can do similar for Administer queue. Restrict the access on the “root” queue first:

Under “Access Control and Status” -> Administer Queue -> Choose custom -> In Users/Groups, enter the username/groupname.

Now when you run mapred queue -showacls command, it will show access of all users like:

root:

hive:

yarn:

1,436 Views
Comments

Nice article, Mugdha.

Super Mentor

Nice & very detailed article Mugdha.

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎06-27-2018 06:49 PM
Updated by:
 
Contributors
Top Kudoed Authors