Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

ACLs not working in Capacity Scheduler in CDH5(YARN)

ACLs not working in Capacity Scheduler in CDH5(YARN)

Explorer

 

ACLs is not wroking in Capacity Scheduler in CDH-5. Please see the below config. Only user1 and user2 should be able to queue2 and queue1 but all users are able to access all queues.

 

 

Let me know if there is a solution

 

<?xml version="1.0"?>
<configuration>
  <property>
    <name>yarn.scheduler.capacity.root.queues</name>
    <value>batch,default</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.queues</name>
    <value>queue1,queue2</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.capacity</name>
    <value>80</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.default.capacity</name>
    <value>20</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.queue1.capacity</name>
    <value>70</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.queue2.capacity</name>
    <value>30</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.queue1.acl_submit_applications</name>
    <value>user1</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.queue2.acl_submit_applications</name>
    <value>user2</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.queue1.acl_administer_queue</name>
    <value>*</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.root.batch.queue2.acl_administer_queue</name>
    <value>*</value>
  </property>
  <property>
    <name>yarn.scheduler.capacity.maximum-applications</name>
    <value>20000</value>
  </property> 
</configuration>

 

1 REPLY 1
Highlighted

Re: ACLs not working in Capacity Scheduler in CDH5(YARN)

Master Guru
You're granting everyone (*) administrative access to the queues, which overrides the submit-applications ACL and invalidates it.
Don't have an account?
Coming from Hortonworks? Activate your account here