ZooKeeper ACLs Best Practices: YARN

YARN related ZooKeeper ACLs are automatically created using Cloudera Manager. Review the list of default ACLs to ensure they are set as recommended for YARN.

Cloudera Manager automatically sets some ZooKeeper ACLs related YARN properties that are used by the YARN service to set up the default ZooKeeper ACLs. That means no manual configuration step is needed. However, customized principles are set by Cloudera Manager only at first launch. For any later launches Clouder Manager checks only the root znodes.
  • ZooKeeper Usage:
    • /yarn-leader-election - used for RM leader election

    • /rmstore - used for storing RM application state

  • Default ACLs:

    • /yarn-leader-election - sasl:[***customized principle upon first launch***]:cdrwa

    • /rmstore - sasl:[***customized principle upon first launch***]:cdrwa

If default ACLs are set incorrectly, perform one of the following workarounds:
  • Delete the znode and restart the YARN service.

  • Use the reset ZK ACLs command. This also sets the znodes below /rmstore/ZKRMStateRoot to world:anyone:cdrwa which is less secure.