Support Questions

Sayed016 · ‎05-21-2021

Hello all,

We are facing an issue in viewing YARN logs from Resource Manager UI. We have two HDP clusters. Cluster1 and Cluster2 have similar configurations. Cluster1 has no problem but getting the unauthorized issue from Cluster2 for viewing the YARN logs.

Cluster1 (the good one) has the below configurations.

yarn.acl.enable=true
yarn.admin.acl=yarn,user1 admingroup1,admingroup2

Cluser2 (the bad one) has the below configurations.

yarn.acl.enable=true
yarn.admin.acl=dr.who,user1,yarn admingroup2

Please note there are users in admingroup2 who want to view the YARN logs but not able to do so on Cluster2. It shows as below.

Please share if there are more things to check? Thank you for the help.

vamsi_redd · ‎05-22-2021

Hi,

Could you please let us know what are the type of application logs you are viewing ? In case those are spark, the application level ACLs need to be configured separately based on the application type.

Custom spark2-defaults:

spark.history.ui.admin.acls=*

spark.ui.view.acls=*

spark.ui.view.acls.groups=*

For Mapreduce

Advanced mapred-site:

mapreduce.job.acl-view-job=*

Sayed016 · ‎05-26-2021

Hello @vamsi_redd

Thank you for the reply. We want to have minimal access to the Job logs, that's why we are adding only the required group. Nevertheless, we do have these settings present for MapReduce and Spark for only the users/groups that are needed.

However, we found that the issue was related to some kind of routing also we added the required users to the group (admingroup2).

mapreduce.job.acl-view-job=admingroup2

vamsi_redd · ‎05-26-2021

@Sayed016 Thanks for the update, Are you able to view the logs now after adding the required group ?

Sayed016 · ‎05-26-2021

I edited my solution above a bit.

We found that the issue was related to some kind of routing from Oozie WF to YARN logs. What we wanted was to view the logs from the Oozie WF manager.

When we access the logs from the YARN RM UI it works, but we couldn't able to view the logs directly from the Oozie WF manager. We already have the correct configurations present in the MapReduce service.

Shelton · ‎05-22-2021

@Sayed016

Can you compare the values of the yarn.admin.acl in the yarn-site.xml of both clusters? In my cluster its activity_analyzer, yarn this is a comma-delimited value so now you can add the user who is not allowed in your case and restart the stale config and revert.

Your user should now be able to access the logs

Happy hadooping

Scharan · ‎05-22-2021

@Sayed016 I can see there is no "," after Yarn username, Can you try adding"," after yarn user name as shown below

yarn.admin.acl=dr.who,user1,yarn,admingroup2

Shelton · ‎05-22-2021

@Scharan
As it's supposed a comma delimited user list YES and that and restart the config a nd let me know.

Shelton · ‎05-24-2021

@Scharan

Surely and any user you want to access the Yarn UI . the only condition it should be comma-delimited.

Please do that are restart the stale service and revert

Sayed016 · ‎05-26-2021

Hello @Scharan and @Shelton

Thank you for the reply. Please note that there are groups too and the group name should be separated from the user name with space or else all will be treated as users. Source: https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/yarn-security/topics/yarn-admin-acl.html

Cloudera Community

Support Questions

User not authorized to view YARN logs from ResourceManager UI