Support Questions

Find answers, ask questions, and share your expertise

Preventing users from Killing the yarn application

avatar
Explorer

As a Hadoop Admin, I don't want any other user to kill the yarn application except admin or only user who is owner of the job should be able to kill including admin. Any way to accomplish it ?

Presently anyone can kill the application .

1 ACCEPTED SOLUTION

avatar
Super Collaborator

hi @Sushant,

The easy approach is to use the Yarn queue manager from ambari views.

Alternatively you can control by setting the following parameter in capacity-scheduler.xml

yarn.scheduler.capacity.root.acl_administer_queue -- <comma separated admin userlist> <comma separated group list>

yarn.scheduler.capacity.root.acl_administer_queue -- admin-user,hdfs,hive admin-group

* please ensure you have a space between users and groups.

View solution in original post

7 REPLIES 7

avatar

Hi @Sushant,

You can control access to Yarn Queues, including who can kill applications, with access control lists (ACL's). Read more about this in the docs.

/W

avatar
Explorer

Hi Ward, Thanks for your inputs. I went through the docs and saw some property related to acl queues . May I know the difference between yarn.admin.acl property and ones mentioned in the link given by you.How do I restrict user 1 to kill jobs submitted by user 2 and vice versa ?

avatar
Super Collaborator

you need the set the ACLs for user as "%user" instead of user name, that will ensure that only the user who submitted the job only can kill in addition to that you can give access to other admin users to manage.

this will substitute the user name and the job can be killed only by the own user and admins.

yarn.scheduler.capacity.root.acl_administer_queue -- %user,hdfs,admin

avatar
Super Collaborator

hi @Sushant,

The easy approach is to use the Yarn queue manager from ambari views.

Alternatively you can control by setting the following parameter in capacity-scheduler.xml

yarn.scheduler.capacity.root.acl_administer_queue -- <comma separated admin userlist> <comma separated group list>

yarn.scheduler.capacity.root.acl_administer_queue -- admin-user,hdfs,hive admin-group

* please ensure you have a space between users and groups.

avatar
Explorer

Thanks for your inputs. Will %user will prevent killing jobs both from command line and RM UI ?

avatar
Explorer

Hi, This worked . May I know , how to prevent user 1 to see applications submitted by themselves not others and admin should be able to view all jobs ?

avatar
Super Collaborator

Hi @Sushant

Glad that worked for you, in case can you please accept that answer.

in response to control the resource monitoring, not that I am aware of, but I believe you may 'not' need to prevent user 1 to see the application submitted by user1 or other user. as this does not contain any data (unless explisitly prints out to STDOUT).

on the other hand you can manage the access with (authorization)SPNEGO for web UI.