Access-control lists (ACLs) can be used to restrict user and administrator access to queues. Application submission can really only happen at the leaf queue level, but an ACL restriction set on a parent queue will be applied to all of its descendant queues.
In the Capacity Scheduler, ACLs are configured by granting queue access to a list of
users and groups with the acl_submit_applications property. The format of
the list is "user1,user2 group1,group" -- a comma-separated list of users, followed by a
space, followed by a comma-separated list of groups.
The value of acl_submit_applications can also be set to "*" (asterisk) to
allow access to all users and groups, or can be set to " " (space character) to block
access to all users and groups.
The following example would restrict access to the "support" queue to the users "sherlock" and "pacioli" and the members of the "cfo-group" group:
Property:
yarn.scheduler.capacity.root.support.acl_submit_applications
Value:
sherlock,pacioli cfo-group
A separate ACL can be used to control the administration of queues at various levels. Queue administrators can submit applications to the queue (without an explicit submit-ACL), kill any application in the queue, and obtain information about any application in the queue (whereas normal users are restricted from viewing all of the details of other users' applications).
Administrator ACLs are configured with the acl_administer_queue property.
The following example would grant administrator access to the "support" queue to the
members of "cfo-group":
Property:
yarn.scheduler.capacity.root.support.acl_administer_queue
Value:
cfo-group
Description: A space character followed by "cfo-group" (unquoted).
