Apache ZooKeeper ACLs: YARN

The authentication method is different in CDP than it was in CDH. As a result the znodes under /yarn-leader-election and /rmstore most likely do not have the safest ACLs set after the upgrade.

You can resolve this situation in two ways:

Delete the znodes. In this case application history will be lost.
Temporary disable the ZooKeeper security, and set the ACLs using the ZooKeeper CLI. This is a less intrusive option.

When YARN recreates the znode they will have the correct ACLs.

If the znode have sasl:principal then name:cdrwa is the safest option, meaning that only YARN's user has read and write access to the znodes.