YARN Queue ACLs
Use Queue ACLs to identify and control which users and/or groups can take actions on particular queues. Queue ACLs are scheduler dependent.
Use Queue ACLs to identify and control which users and/or groups can take actions on particular queues. Configure Queue ACLs using the aclSubmitApps and aclAdministerApps properties, which are set per queue. Queue ACLs are scheduler dependent, and the implementation and enforcement differ per scheduler type.
Unlike the YARN Admin ACL, Queue ACLs are not enabled and enforced by default. Instead, you must explicitly enable Queue ACLs. Queue ACLs are defined, per queue, in the Fair Scheduler configuration. By default, neither of the Queue ACL property types is set on any queue, and access is allowed or open to any user.
The users and groups defined in the
yarn.admin.acl are considered to be part of the Queue ACL,
aclAdministerApps. So any user or group that is defined
yarn.admin.acl can submit to any queue
and kill any running application in the system.
The aclSubmitApps Property
Use the Queue ACL
aclSubmitApps property type to enable users and groups to submit or add an
application to the queue upon which the property is set. To move an application from one queue
to another queue, you must have Submit permissions for both the queue in which the application
is running, and the queue into which you are moving the application. You must be an
administrator to set Admin ACLs; contact your system administrator to request Submit permission
on this queue.
The aclAdministerApps Property
aclAdministerAppsproperty type to enable all actions defined in the aclSubmitApps property, plus any administrative actions that have been defined (the only administrative action currently defined and supported in this context is killing an application).
aclAdministerAppsindicates a group-only rule:
<queue name="Marketing"> <aclSubmitApps>john,jane</aclSubmitApps> <aclAdministerApps><single space>others</aclAdministerApps> </queue>