YARN ACL rules

Learn about the YARN ACL rules to which all YARN ACLs must adhere.

All YARN ACLs must adhere to the following rules:
  • Special Values:
    • The wildcard character (*) indicates that everyone has access.
    • A single space entry indicates that no one has access.
  • If there are no spaces in an ACL, then all entries (the listed users and/or groups) are considered authorized users.
  • Group names in YARN Resource Manager ACLs are case sensitive. So, if you specify an uppercase group name in the ACL, it will not match the group name resolved from the Active Directory because Active Directory group names are resolved in lowercase.
  • If an ACL starts with a single space, then it must consist of groups only.
  • All entries after the occurrence of a second single space in an ACL are ignored.
  • There are no ACLs that deny access to a user or group. However, if you wish to block access to an operation entirely, enter a value for a non-existent user or group (for example,'NOUSERS NOGROUPS'), or simply enter a single space. By doing so, you ensure that no user or group maps to a particular operation by default.
  • If you wish to deny only a certain set of users and/or groups, specify every single user and/or group that requires access. Users and/or groups that are not included are "implicitly" denied access.