MapReduce Job ACLs

Create and use the following MapReduce Application ACLs to view YARN logs.

  • mapreduce.job.acl-view-job

    Provides read access to the MapReduce history and the YARN logs.

  • mapreduce.job.acl-modify-job
    Provides the same access as mapreduce.job.acl-view-job, and also allows the user to modify a running job.
During a search or other activities, you may come across the following two legacy settings from MapReduce; they are not supported by YARN. Do not use them:
  • mapreduce.cluster.acls.enabled
  • mapreduce.cluster.administrators

Killing an application

The Application ACL mapreduce.job.acl-modify-job determines whether or not a user can modify a job, but in the context of YARN, this only allows the user to kill an application. The kill action is application agnostic and part of the YARN framework. Other application types, like MapReduce or Spark, implement their own kill action independent of the YARN framework. MapReduce provides the kill actions via the mapred command.

For YARN, the following three groups of users are allowed to kill a running application:
  • The application owner
  • A cluster administrator defined in yarn.admin.acl
  • A queue administrator defined in aclAdministerApps for the queue in which the application is running

Note that for the queue administrators, ACL inheritance applies, as described earlier.