Queue ACL Evaluation
The better you understand how Queue ACLs are evaluated, the more prepared you are to define and configure them.
The better you understand how Queue ACLs are evaluated, the more prepared you are to define and configure them. First, you should have a basic understanding of how Fair Scheduler queues work.
CDH Fair Scheduler supports hierarchical queues, all of which descend from a root queue, which is automatically created and defined within the system when the Scheduler starts.
Available resources are distributed among the children (“leaf” queues) of the root queue in a typical fair scheduling fashion. Then, the children distribute their assigned resources to their children in the same fashion.
As mentioned earlier, applications are scheduled on leaf queues only. You
specify queues as children of other queues by placing them as sub-elements of their parents in
the Fair Scheduler allocation file (
fair-scheduler.xml). The default Queue ACL setting for all parent and leaf queues is “
“ (a single space), which means that by default, no one can access any of these queues.
Queue ACL inheritance is enforced by assessing the ACLs defined in the queue hierarchy in a bottom-up order to the root queue. So within this hierarchy, access evaluations start at the level of the bottom-most leaf queue. If the ACL does not provide access, then the parent Queue ACL is checked. These evaluations continue upward until the root queue is checked.
Best practice: A best practice for securing an environment is
to set the root queue
aclSubmitApps ACL to
<single space>, and specify a limited set
of users and groups in
the ACLs for all other queues to provide submit or administrative access as appropriate.