Support Questions
Find answers, ask questions, and share your expertise

Can't figure out Yarn ACL requirements


I'm trying to monitor the job status of a running Oozie job. However, running the following code from a general purpose user ("hue", which is also starting these jobs through runAs):



curl --negotiate -u : http://FQDN:8088/proxy/application_1609929757167_0004/ws/v1/mapreduce/jobs/job_1609929757167_0004/tasks



I'm getting an error, which does not really say anything useful:





On the other hand, I'm able to see the correct response through a yarn user, suggesting some issues with the ACL's.


My question: what ACL's and where should I give to the general purpose user so that it could see all the information of the running task? I've added the user to ``yarn.admin.acl``, as well as mapreduce.job.acl-modify-job, mapreduce.job.acl-view-job, mapreduce.jobhistory.admin.acl, but none of these help.


What am I missing? 


Cloudera Employee



It's been a long time since you posted, wondering if still facing this problem? Or perhaps you already found the solution to share with us? 🙂


It doesn't look like ACL related; you can submit jobs or administer the queues with ACL.


Is the cluster kerberzied by any chance?




Thanks for the response. The cluster is Kerberized.


I think we got around these errors (partly) by trial and error, so it's hard to pinpoint the exact configuration causing the issues. These probably involved permissions in Ranger, but can't tell exactly since there's no config versioning there.


I say _partly_ since we still haven't figured out Oozie Bundles (jobs through bundles still don't show logs properly on HUE), but workflows and coordinators seem to be working as expected. 

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.