Control access to queues with ACLs
Use Access-control lists (ACLs) to control user and administrator to Capacity Scheduler queues.
acl_submit_applicationsproperty. The format of the list is "user1,user2 group1,group2" -- a comma-separated list of users, followed by a space, followed by a comma-separated list of groups.
The value of
acl_submit_applications can also be set to "*" (asterisk) to
allow access to all users and groups, or can be set to "" (space character) to block access to
all users and groups.
As mentioned previously, ACL settings on a parent queue are applied to all of its descendant queues. Therefore, if the parent queue uses the "*" (asterisk) value (or is not specified) to allow access to all users and groups, its child queues cannot restrict access. Similarly, before you can restrict access to a child queue, you must first set the parent queue to "" (space character) to block access to all users and groups.
For example, the following properties would set the root acl_submit_applications value to "" (space character) to block access to all users and groups, and also restrict access to its child "support" queue to the users "sherlock" and "pacioli" and the members of the "cfo-group" group:
Each child queue is tied to its parent queue with the
yarn.scheduler.capacity.<queue-path>.queues configuration property in
the capacity-scheduler.xml file. The top-level "support", "engineering", and "marketing"
queues would be tied to the "root"
To set the ACLs based on this example, perform the following:
- In Cloudera Manager, select the YARN service.
- Click the Configuration tab.
- Search for yarn-site.xml.
- In YARN Service Advanced Configuration Snippet (Safety Valve) for
yarn-site.xml field, add the following:
Name: yarn.scheduler.capacity.root.acl_submit_applications Value:
Name: yarn.scheduler.capacity.root.support.acl_submit_applications Value: sherlock,pacioli cfo-group
A separate ACL can be used to control the administration of queues at various levels. Queue administrators can submit applications to the queue, kill applications in the queue, and obtain information about any application in the queue (whereas normal users are restricted from viewing all of the details of other users' applications).
Administrator ACLs are
configured with the
acl_administer_queue property. ACLs for this property are
inherited from the parent queue if not specified. For example, the following properties would
set the root
acl_administer_queue value to "" (space character) to block
access to all users and groups, and also grant administrator access to its child "support"
queue to the users "sherlock" and "pacioli" and the members of the "cfo- group"