Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Yarn Queue ACL is not working.

Explorer
I have set-up ACL for a yarn queue(q01) from Ambari 'yarn queue manager' to allow only one user(user1) to submit jobs into the Queue. But irrespective of ACL's to the queue, all the users were able to submit jobs to the queue. Kindly let me know, is anything wrong am i doing here or any other configuration I missed.
Like below, aCL setup for queue 'q01' and parent queue root for user 'user1' to submit jobs:
=========================
    <property>
      <name>yarn.scheduler.capacity.root.acl_submit_applications</name>
      <value>user1 </value>
    </property>
    <property>
      <name>yarn.scheduler.capacity.root.q01.acl_submit_applications</name>
      <value>user1 </value>
    </property>
========================
Scenario 1: As per above ACL to q01, only user1 should be able to submit job but user2 was also able to submit job to q01 in below scenario2.
=================================
beeline -u jdbc:hive2://localhost:10000/default -n user1 -p user1 --hiveconf hive.execution.engine=mr
 0: jdbc:hive2://localhost:10000/default> set mapred.job.queue.name=q01;
No rows affected (0.089 seconds)
insert into test_u01 values (1);
INFO  : Table default.test_u01 stats: [numFiles=42, numRows=42, totalSize=84, rawDataSize=42]
No rows affected (21.783 seconds)
Scenario 2:
==================================
beeline -u jdbc:hive2://localhost:10000/default -n user2 -p user2 --hiveconf hive.execution.engine=mr
set mapred.job.queue.name=q01;
 0: jdbc:hive2://localhost:10000/default> insert into test_u01 values (1);
INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
INFO  : Table default.test_u01 stats: [numFiles=43, numRows=43, totalSize=86, rawDataSize=43]
No rows affected (21.616 seconds)
===================================
3 REPLIES 3

@Turing nix - As mentioned in the below article:

https://community.hortonworks.com/articles/3229/capacity-scheduler-users-can-submit-to-any-queue.htm...

Set the root queue to deny-all, by entering a "space" for the value. Then set who to allow in the ACL for each child queue. For example:

  1. yarn.scheduler.capacity.root.acl_submit_applications=
  2. yarn.scheduler.capacity.root.default.acl_administer_jobs=appdev
  3. yarn.scheduler.capacity.root.default.acl_submit_applications=appdev

Explorer

@Namit Maheshwari @Neeraj Sabharwal

Thanks for the information, but in Yarn Queue Manager the user in 'Submit Applications' for a queue is unable to accept space in it. Is their a way to do it and have you ever tried it internally, just checking and even tried to enter space manually in capacity-scheduler.xml file like below and it didn't worked.

<property>

<name>yarn.scheduler.capacity.root.acl_submit_applications</name>

<value> </value>

</property>

HI @Turing nix,

In Yarn Queue Manager, it says "leave blank to deny access for everyone". So i think you need not enter space as well.

Attached is the screenshot for the same.screenshot.png