Support Questions

Find answers, ask questions, and share your expertise

User not authorized to view YARN logs from ResourceManager UI


Hello all,


We are facing an issue in viewing YARN logs from Resource Manager UI. We have two HDP clusters. Cluster1 and Cluster2 have similar configurations. Cluster1 has no problem but getting the unauthorized issue from Cluster2 for viewing the YARN logs.  


Cluster1 (the good one) has the below configurations.

yarn.admin.acl=yarn,user1 admingroup1,admingroup2


Cluser2 (the bad one) has the below configurations.

yarn.admin.acl=dr.who,user1,yarn admingroup2


Please note there are users in admingroup2 who want to view the YARN logs but not able to do so on Cluster2. It shows as below.



Please share if there are more things to check? Thank you for the help.



Cloudera Employee



Could you please let us know what are the type of application logs you are viewing ? In case those are spark,  the application level ACLs need to be configured separately based on the application type.


Custom spark2-defaults:





For Mapreduce

Advanced mapred-site:




Hello @vamsi_redd 


Thank you for the reply. We want to have minimal access to the Job logs, that's why we are adding only the required group. Nevertheless, we do have these settings present for MapReduce and Spark for only the users/groups that are needed.


However, we found that the issue was related to some kind of routing also we added the required users to the group (admingroup2).






Cloudera Employee

@Sayed016 Thanks for the update, Are you able to view the logs now  after adding the required group ?


I edited my solution above a bit.


We found that the issue was related to some kind of routing from Oozie WF to YARN logs. What we wanted was to view the logs from the Oozie WF manager.


When we access the logs from the YARN RM UI it works, but we couldn't able to view the logs directly from the Oozie WF manager. We already have the correct configurations present in the MapReduce service.




Can you compare the values of the yarn.admin.acl in the yarn-site.xml of both clusters? In my cluster its activity_analyzer, yarn this is a comma-delimited value so now you can add the user who is not allowed in your case and restart the stale config and revert.
Yarn not allowed.JPG


Your user should now be able to access the logs

Happy hadooping 

Super Collaborator

@Sayed016 I can see there is no "," after Yarn username, Can you try adding"," after yarn user name as shown below




As it's supposed a comma delimited user list YES and that and restart the config a nd let me know.




Surely and any user you want to access the Yarn UI . the only condition it should be comma-delimited.

Please do that are restart  the stale service and revert


Hello @Scharan and @Shelton 


Thank you for the reply. Please note that there are groups too and the group name should be separated from the user name with space or else all will be treated as users. Source: