Controlling Access to Queues with ACLs
Access-control lists (ACLs) can be used to restrict user and administrator access to queues. Application submission can really only happen at the leaf queue level, but an ACL restriction set on a parent queue will be applied to all of its descendant queues.
Note | |
---|---|
To enable ACLs, you must set the value of the |
In the Capacity Scheduler, ACLs are configured by granting queue access to a list of users and groups with the acl_submit_applications
property. The format of the list is "user1,user2 group1,group2" -- a comma-separated list of users, followed by a space, followed by a comma-separated list of groups.
The value of acl_submit_applications
can also be set to "*" (asterisk) to allow access to all users and groups, or can be set to "" (space character) to block access to all users and groups.
As mentioned previously, ACL settings on a parent queue are applied to all of its descendant queues. Therefore, if the parent queue uses the "*" (asterisk) value (or is not specified) to allow access to all users and groups, its child queues cannot restrict access. Similarly, before you can restrict access to a child queue, you must first set the parent queue to "" (space character) to block access to all users and groups.
For example, the following properties would set the root acl_submit_applications value to "" (space character) to block access to all users and groups, and also restrict access to its child "support" queue to the users "sherlock" and "pacioli" and the members of the "cfo-group" group:
<property> <name>yarn.scheduler.capacity.root.acl_submit_applications</name> <value> </value> </property> <property> <name>yarn.scheduler.capacity.root.support.acl_submit_applications</name> <value>sherlock,pacioli cfo-group</value> </property>
A separate ACL can be used to control the administration of queues at various levels. Queue administrators can submit applications to the queue, kill applications in the queue, and obtain information about any application in the queue (whereas normal users are restricted from viewing all of the details of other users' applications).
Administrator ACLs are configured with the acl_administer_queue
property. ACLs for this property are inherited from the parent queue if not specified. For example, the following properties would set the root acl_administer_queue
value to "" (space character) to block access to all users and groups, and also grant administrator access to its child "support" queue to the users "sherlock" and "pacioli" and the members of the "cfo- group" group:
<property> <name>yarn.scheduler.capacity.root.acl_administer_queue</name> <value> </value> </property> <property> <name>yarn.scheduler.capacity.root.support.acl_administer_queue</name> <value>sherlock,pacioli cfo-group</value> </property>