Support Questions
Find answers, ask questions, and share your expertise

YARN queues need a recipe to have two separate admins controlling own queues

Solved Go to solution

YARN queues need a recipe to have two separate admins controlling own queues

Mentor

is that possible? I need the following scenario

AdminA can only see/modify yarn queue A

AdminB can only see/modify yarn queue B

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

So you definitely have the possibility to restrict control over a subset of queues. ( We had problems getting it to run in a non-kerberized cluster but in a kerberized cluster they work fine. ) Let me see if I find a way to restrict seeing applications as well.

yarn.scheduler.capacity.root.<queue-path>.acl_submit_applicationsThe ACL which controls who can submit applications to the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can submit applications. ACLs for this property are inherited from the parent queue if not specified.
yarn.scheduler.capacity.root.<queue-path>.acl_administer_queueThe ACL which controls who can administer applications on the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can administer applications. ACLs for this property are inherited from the parent queue if not specified.

View solution in original post

7 REPLIES 7
Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

Mentor

Can a single cluster have different Admins who don’t see each other’s services and processes while still allowing control over their subset?

Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

So you definitely have the possibility to restrict control over a subset of queues. ( We had problems getting it to run in a non-kerberized cluster but in a kerberized cluster they work fine. ) Let me see if I find a way to restrict seeing applications as well.

yarn.scheduler.capacity.root.<queue-path>.acl_submit_applicationsThe ACL which controls who can submit applications to the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can submit applications. ACLs for this property are inherited from the parent queue if not specified.
yarn.scheduler.capacity.root.<queue-path>.acl_administer_queueThe ACL which controls who can administer applications on the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can administer applications. ACLs for this property are inherited from the parent queue if not specified.

View solution in original post

Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

@Benjamin Leonhardi Will it restrict the view of queues? The above settings helps to implement the control/authority but admins can still see everything...

Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

Good question the yarn documentation says:

"Also, there are safe-guards to ensure that users cannot view and/or modify applications from other users."

However we have setup the administer settings in our cluster and I can still see all applications. So there must be some other setting to enable these "safeguards".

Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

@Benjamin Leonhardi It would be interesting to see Ambari with Multiple clusters

Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

Multicluster mode in Ambari is perhaps one of the most requested features. However its a BIG implementation effort.

Highlighted

Re: YARN queues need a recipe to have two separate admins controlling own queues

@Artem Ervits

Good question and I thought about using different installs of ambari views but instances will be reading the same configurations.

As we cannot manage multiple clusters from ambari so multiple admins with segregation of different view of cluster is not possible.

Admin can see everything so it's not possible. As mentioned above, It would be interesting to see when ambari manages multiple clusters.

https://issues.apache.org/jira/browse/AMBARI-1518

Don't have an account?