Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Yarn Queue ACL is not working.

Yarn Queue ACL is not working.

New Contributor
I have set-up ACL for a yarn queue(q01) from Ambari 'yarn queue manager' to allow only one user(user1) to submit jobs into the Queue. But irrespective of ACL's to the queue, all the users were able to submit jobs to the queue. Kindly let me know, is anything wrong am i doing here or any other configuration I missed.
Like below, aCL setup for queue 'q01' and parent queue root for user 'user1' to submit jobs:
=========================
    <property>
      <name>yarn.scheduler.capacity.root.acl_submit_applications</name>
      <value>user1 </value>
    </property>
    <property>
      <name>yarn.scheduler.capacity.root.q01.acl_submit_applications</name>
      <value>user1 </value>
    </property>
========================
Scenario 1: As per above ACL to q01, only user1 should be able to submit job but user2 was also able to submit job to q01 in below scenario2.
=================================
beeline -u jdbc:hive2://localhost:10000/default -n user1 -p user1 --hiveconf hive.execution.engine=mr
 0: jdbc:hive2://localhost:10000/default> set mapred.job.queue.name=q01;
No rows affected (0.089 seconds)
insert into test_u01 values (1);
INFO  : Table default.test_u01 stats: [numFiles=42, numRows=42, totalSize=84, rawDataSize=42]
No rows affected (21.783 seconds)
Scenario 2:
==================================
beeline -u jdbc:hive2://localhost:10000/default -n user2 -p user2 --hiveconf hive.execution.engine=mr
set mapred.job.queue.name=q01;
 0: jdbc:hive2://localhost:10000/default> insert into test_u01 values (1);
INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
INFO  : Table default.test_u01 stats: [numFiles=43, numRows=43, totalSize=86, rawDataSize=43]
No rows affected (21.616 seconds)
===================================
3 REPLIES 3

Re: Yarn Queue ACL is not working.

@Turing nix - As mentioned in the below article:

https://community.hortonworks.com/articles/3229/capacity-scheduler-users-can-submit-to-any-queue.htm...

Set the root queue to deny-all, by entering a "space" for the value. Then set who to allow in the ACL for each child queue. For example:

  1. yarn.scheduler.capacity.root.acl_submit_applications=
  2. yarn.scheduler.capacity.root.default.acl_administer_jobs=appdev
  3. yarn.scheduler.capacity.root.default.acl_submit_applications=appdev

Re: Yarn Queue ACL is not working.

New Contributor

@Namit Maheshwari @Neeraj Sabharwal

Thanks for the information, but in Yarn Queue Manager the user in 'Submit Applications' for a queue is unable to accept space in it. Is their a way to do it and have you ever tried it internally, just checking and even tried to enter space manually in capacity-scheduler.xml file like below and it didn't worked.

<property>

<name>yarn.scheduler.capacity.root.acl_submit_applications</name>

<value> </value>

</property>

Highlighted

Re: Yarn Queue ACL is not working.

HI @Turing nix,

In Yarn Queue Manager, it says "leave blank to deny access for everyone". So i think you need not enter space as well.

Attached is the screenshot for the same.screenshot.png

Don't have an account?
Coming from Hortonworks? Activate your account here