Support Questions

Find answers, ask questions, and share your expertise

YARN with ACL - unable to view logs from RM webconsole

avatar
Explorer

Hello,

 

We are currently experimenting with ACLs on YARN pools.

 

Our goal is to have:

  1. a pool for each application where only the authorized user can submit jobs
  2. a group of users for each pool that can view application history and logs

 

I'm using the following fair-scheduler.xml file (generated with Cloudera Manager):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<allocations>
    <queue name="root">
        <weight>1.0</weight>
        <schedulingPolicy>drf</schedulingPolicy>
        <aclSubmitApps></aclSubmitApps>
        <aclAdministerApps></aclAdministerApps>
        <queue name="appA">
            <weight>1.0</weight>
            <schedulingPolicy>drf</schedulingPolicy>
            <aclSubmitApps>appA developersA</aclSubmitApps>
            <aclAdministerApps>appA developersA</aclAdministerApps>
        </queue>
        <queue name="appB">
            <weight>1.0</weight>
            <schedulingPolicy>drf</schedulingPolicy>
            <aclSubmitApps>appB developersB</aclSubmitApps>
            <aclAdministerApps>appB developersB</aclAdministerApps>
        </queue>
    </queue>
</allocations>

 

For the point 1. (pool access only by app user) everything works fine, but I can't get to find a working configuration for point 2: for example if user devA (in group developersA) tries to view the logs for an application launched in appA get always the following error (in JH web console):

 

User [devA] is not authorized to view the logs for container_1469609032080_0001_01_000001 in log file

 

Any suggestion? Is this the intended behaviour or am I missing something?

 

Our cluster specs/settings:

  • yarn.acl.enable = true
  • yarn.admin.acl = "yarn clusterAdminGroup"
  • CDH 5.7
  • Kerberos authentication
  • YARN web interface also using Kerberos authentication


Thank you,
Bye

1 ACCEPTED SOLUTION

avatar
Rising Star

If you are referring to MapReduce Job History Server by JH, JHS has its own job ACL control. If a MR job is configured with 

mapreduce.job.acl-view-job = {users you want to allow to view the job, see mapred-default.xml for details on format}

Then JHS will allow the specified user to view the job.

View solution in original post

1 REPLY 1

avatar
Rising Star

If you are referring to MapReduce Job History Server by JH, JHS has its own job ACL control. If a MR job is configured with 

mapreduce.job.acl-view-job = {users you want to allow to view the job, see mapred-default.xml for details on format}

Then JHS will allow the specified user to view the job.