Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Preventing users from Killing the yarn application

Solved Go to solution
Highlighted

Preventing users from Killing the yarn application

New Contributor

As a Hadoop Admin, I don't want any other user to kill the yarn application except admin or only user who is owner of the job should be able to kill including admin. Any way to accomplish it ?

Presently anyone can kill the application .

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Preventing users from Killing the yarn application

Super Collaborator

hi @Sushant,

The easy approach is to use the Yarn queue manager from ambari views.

Alternatively you can control by setting the following parameter in capacity-scheduler.xml

yarn.scheduler.capacity.root.acl_administer_queue -- <comma separated admin userlist> <comma separated group list>

yarn.scheduler.capacity.root.acl_administer_queue -- admin-user,hdfs,hive admin-group

* please ensure you have a space between users and groups.

7 REPLIES 7

Re: Preventing users from Killing the yarn application

Hi @Sushant,

You can control access to Yarn Queues, including who can kill applications, with access control lists (ACL's). Read more about this in the docs.

/W

Re: Preventing users from Killing the yarn application

New Contributor

Hi Ward, Thanks for your inputs. I went through the docs and saw some property related to acl queues . May I know the difference between yarn.admin.acl property and ones mentioned in the link given by you.How do I restrict user 1 to kill jobs submitted by user 2 and vice versa ?

Re: Preventing users from Killing the yarn application

Super Collaborator

you need the set the ACLs for user as "%user" instead of user name, that will ensure that only the user who submitted the job only can kill in addition to that you can give access to other admin users to manage.

this will substitute the user name and the job can be killed only by the own user and admins.

yarn.scheduler.capacity.root.acl_administer_queue -- %user,hdfs,admin

Re: Preventing users from Killing the yarn application

Super Collaborator

hi @Sushant,

The easy approach is to use the Yarn queue manager from ambari views.

Alternatively you can control by setting the following parameter in capacity-scheduler.xml

yarn.scheduler.capacity.root.acl_administer_queue -- <comma separated admin userlist> <comma separated group list>

yarn.scheduler.capacity.root.acl_administer_queue -- admin-user,hdfs,hive admin-group

* please ensure you have a space between users and groups.

Re: Preventing users from Killing the yarn application

New Contributor

Thanks for your inputs. Will %user will prevent killing jobs both from command line and RM UI ?

Re: Preventing users from Killing the yarn application

New Contributor

Hi, This worked . May I know , how to prevent user 1 to see applications submitted by themselves not others and admin should be able to view all jobs ?

Re: Preventing users from Killing the yarn application

Super Collaborator

Hi @Sushant

Glad that worked for you, in case can you please accept that answer.

in response to control the resource monitoring, not that I am aware of, but I believe you may 'not' need to prevent user 1 to see the application submitted by user1 or other user. as this does not contain any data (unless explisitly prints out to STDOUT).

on the other hand you can manage the access with (authorization)SPNEGO for web UI.