Controlling access to queues using ACLs
Use Access-control lists (ACLs) to control access rights to users and administrators to the Capacity Scheduler queues.
Application submission can really only happen at the leaf queue level, but an ACL restriction set on a parent queue will be applied to all of its descendant queues.
- asterisk (
"*"
) - Allow access to all users and group
- space character (
" "
) - Block access to all users and groups
- empty string value (
""
) - Block access to all users and groups
As mentioned previously, ACL settings on a parent queue are applied to all of its descendant
queues. Therefore, if the parent queue uses the "*"
(asterisk) value (or is
not specified) to allow access to all users and groups, its child queues cannot restrict
access. Similarly, before you can restrict access to a child queue, you must first set the
parent queue to " "
(space character) or ""
(empty string
value) to block access to all users and groups.
For example, the following properties would set the root Submit Application
ACL value to " "
(space character) to block access to all users
and groups, and also restrict access to its child "support" queue to the users "sherlock" and
"john" and the members of the "cfo-group" group:
Each child queue is tied to its parent queue with the configuration property. The top-level "support", "engineering", and "marketing" queues would be tied to the "root" queue.
To set the ACLs based on this example, perform the following:
- In Cloudera Manager, select Clusters > YARN Queue Manager UI service. A graphical queue hierarchy is displayed in the Overview tab.
- Click on the three vertical dots on the queue you want to set ACL and select Edit Queue Properties option.
- In the Queue Properties dialog-box, add sherlock,john cfo-group in the Submit Application ACL text box.
- Click Save.
A separate ACL can be used to control the administration of queues at various levels. Queue administrators can submit applications to the queue, stop applications in the queue, and obtain information about any application in the queue (whereas normal users are restricted from viewing all of the details of other users' applications).
If the Queue Administer ACL value is set to " "
(space character) or ""
(empty string value), it blocks access to all users
and groups. If the ACL is set to sherlock,john cfo-group , it allows
access to the users "sherlock" and "john" and the members of the "cfo-group" group.