Hello,
We are currently experimenting with ACLs on YARN pools.
Our goal is to have:
- a pool for each application where only the authorized user can submit jobs
- a group of users for each pool that can view application history and logs
I'm using the following fair-scheduler.xml file (generated with Cloudera Manager):
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<allocations>
<queue name="root">
<weight>1.0</weight>
<schedulingPolicy>drf</schedulingPolicy>
<aclSubmitApps></aclSubmitApps>
<aclAdministerApps></aclAdministerApps>
<queue name="appA">
<weight>1.0</weight>
<schedulingPolicy>drf</schedulingPolicy>
<aclSubmitApps>appA developersA</aclSubmitApps>
<aclAdministerApps>appA developersA</aclAdministerApps>
</queue>
<queue name="appB">
<weight>1.0</weight>
<schedulingPolicy>drf</schedulingPolicy>
<aclSubmitApps>appB developersB</aclSubmitApps>
<aclAdministerApps>appB developersB</aclAdministerApps>
</queue>
</queue>
</allocations>
For the point 1. (pool access only by app user) everything works fine, but I can't get to find a working configuration for point 2: for example if user devA (in group developersA) tries to view the logs for an application launched in appA get always the following error (in JH web console):
User [devA] is not authorized to view the logs for container_1469609032080_0001_01_000001 in log file
Any suggestion? Is this the intended behaviour or am I missing something?
Our cluster specs/settings:
- yarn.acl.enable = true
- yarn.admin.acl = "yarn clusterAdminGroup"
- CDH 5.7
- Kerberos authentication
- YARN web interface also using Kerberos authentication
Thank you,
Bye
