Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

YARN queues need a recipe to have two separate admins controlling own queues

Labels:
avatar
author-rank aervits
Master Mentor

Created ‎02-17-2016 02:47 PM

is that possible? I need the following scenario

AdminA can only see/modify yarn queue A

AdminB can only see/modify yarn queue B

2,069 Views
1 ACCEPTED SOLUTION

avatar
author-rank bleonhardi
Master Guru

Created ‎02-17-2016 03:23 PM

So you definitely have the possibility to restrict control over a subset of queues. ( We had problems getting it to run in a non-kerberized cluster but in a kerberized cluster they work fine. ) Let me see if I find a way to restrict seeing applications as well.

yarn.scheduler.capacity.root.<queue-path>.acl_submit_applicationsThe ACL which controls who can submit applications to the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can submit applications. ACLs for this property are inherited from the parent queue if not specified.
yarn.scheduler.capacity.root.<queue-path>.acl_administer_queueThe ACL which controls who can administer applications on the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can administer applications. ACLs for this property are inherited from the parent queue if not specified.

View solution in original post

1,790 Views
0 Kudos
7 REPLIES 7

avatar
author-rank aervits
Master Mentor

Created ‎02-17-2016 02:48 PM

Can a single cluster have different Admins who don’t see each other’s services and processes while still allowing control over their subset?

1,790 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎02-17-2016 03:23 PM

So you definitely have the possibility to restrict control over a subset of queues. ( We had problems getting it to run in a non-kerberized cluster but in a kerberized cluster they work fine. ) Let me see if I find a way to restrict seeing applications as well.

yarn.scheduler.capacity.root.<queue-path>.acl_submit_applicationsThe ACL which controls who can submit applications to the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can submit applications. ACLs for this property are inherited from the parent queue if not specified.
yarn.scheduler.capacity.root.<queue-path>.acl_administer_queueThe ACL which controls who can administer applications on the given queue. If the given user/group has necessary ACLs on the given queue or one of the parent queues in the hierarchy they can administer applications. ACLs for this property are inherited from the parent queue if not specified.
1,791 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-17-2016 03:26 PM

@Benjamin Leonhardi Will it restrict the view of queues? The above settings helps to implement the control/authority but admins can still see everything...

1,790 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎02-17-2016 03:30 PM

Good question the yarn documentation says:

"Also, there are safe-guards to ensure that users cannot view and/or modify applications from other users."

However we have setup the administer settings in our cluster and I can still see all applications. So there must be some other setting to enable these "safeguards".

1,790 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-17-2016 03:39 PM

@Benjamin Leonhardi It would be interesting to see Ambari with Multiple clusters

1,790 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎02-17-2016 03:59 PM

Multicluster mode in Ambari is perhaps one of the most requested features. However its a BIG implementation effort.

1,790 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-17-2016 03:25 PM

@Artem Ervits

Good question and I thought about using different installs of ambari views but instances will be reading the same configurations.

As we cannot manage multiple clusters from ambari so multiple admins with segregation of different view of cluster is not possible.

Admin can see everything so it's not possible. As mentioned above, It would be interesting to see when ambari manages multiple clusters.

https://issues.apache.org/jira/browse/AMBARI-1518

1,790 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements