Support Questions

hadcloudera · ‎05-13-2017

As a Hadoop Admin, I don't want any other user to kill the yarn application except admin or only user who is owner of the job should be able to kill including admin. Any way to accomplish it ?

Presently anyone can kill the application .

bkosaraju · ‎05-14-2017

hi @Sushant,

The easy approach is to use the Yarn queue manager from ambari views.

Alternatively you can control by setting the following parameter in capacity-scheduler.xml

yarn.scheduler.capacity.root.acl_administer_queue -- <comma separated admin userlist> <comma separated group list>

yarn.scheduler.capacity.root.acl_administer_queue -- admin-user,hdfs,hive admin-group

* please ensure you have a space between users and groups.

View solution in original post

wbekker · ‎05-13-2017

Hi @Sushant,

You can control access to Yarn Queues, including who can kill applications, with access control lists (ACL's). Read more about this in the docs.

/W

hadcloudera · ‎05-13-2017

Hi Ward, Thanks for your inputs. I went through the docs and saw some property related to acl queues . May I know the difference between yarn.admin.acl property and ones mentioned in the link given by you.How do I restrict user 1 to kill jobs submitted by user 2 and vice versa ?

bkosaraju · ‎05-14-2017

you need the set the ACLs for user as "%user" instead of user name, that will ensure that only the user who submitted the job only can kill in addition to that you can give access to other admin users to manage.

this will substitute the user name and the job can be killed only by the own user and admins.

yarn.scheduler.capacity.root.acl_administer_queue -- %user,hdfs,admin

bkosaraju · ‎05-14-2017

hi @Sushant,

The easy approach is to use the Yarn queue manager from ambari views.

Alternatively you can control by setting the following parameter in capacity-scheduler.xml

yarn.scheduler.capacity.root.acl_administer_queue -- <comma separated admin userlist> <comma separated group list>

yarn.scheduler.capacity.root.acl_administer_queue -- admin-user,hdfs,hive admin-group

* please ensure you have a space between users and groups.

hadcloudera · ‎05-14-2017

Thanks for your inputs. Will %user will prevent killing jobs both from command line and RM UI ?

hadcloudera · ‎05-17-2017

Hi, This worked . May I know , how to prevent user 1 to see applications submitted by themselves not others and admin should be able to view all jobs ?

bkosaraju · ‎05-21-2017

Hi @Sushant

Glad that worked for you, in case can you please accept that answer.

in response to control the resource monitoring, not that I am aware of, but I believe you may 'not' need to prevent user 1 to see the application submitted by user1 or other user. as this does not contain any data (unless explisitly prints out to STDOUT).

on the other hand you can manage the access with (authorization)SPNEGO for web UI.

Cloudera Community

Support Questions

Preventing users from Killing the yarn application