Managing Data Operating System
Also available as:
PDF
loading table of contents...

Control Access to Queues with ACLs

Use Access-control lists (ACLs) to control user and administrator to Capacity Scheduler queues.

Application submission can really only happen at the leaf queue level, but an ACL restriction set on a parent queue will be applied to all of its descendant queues.
Note
Note
To enable ACLs, you must set the value of the yarn.acl.enable property in yarn-site.xml to true. The default value of this property is false.
In the Capacity Scheduler, ACLs are configured by granting queue access to a list of users and groups with the acl_submit_applications property. The format of the list is "user1,user2 group1,group2" -- a comma-separated list of users, followed by a space, followed by a comma-separated list of groups.
Note
Note
The default value of acl_submit_applications for a root queue is yarn, which means that only the default yarn user can submit applications to that queue. Therefore, to provide specific users and groups with access to the queue, you must explicitly set the value of acl_submit_applications to those users and groups.

The value of acl_submit_applications can also be set to "*" (asterisk) to allow access to all users and groups, or can be set to "" (space character) to block access to all users and groups.

As mentioned previously, ACL settings on a parent queue are applied to all of its descendant queues. Therefore, if the parent queue uses the "*" (asterisk) value (or is not specified) to allow access to all users and groups, its child queues cannot restrict access. Similarly, before you can restrict access to a child queue, you must first set the parent queue to "" (space character) to block access to all users and groups.

  • For example, the following properties would set the root acl_submit_applications value to "" (space character) to block access to all users and groups, and also restrict access to its child "support" queue to the users "sherlock" and "pacioli" and the members of the "cfo-group" group:

    Each child queue is tied to its parent queue with the yarn.scheduler.capacity.<queue-path>.queues configuration property in the capacity-scheduler.xml file. The top-level "support", "engineering", and "marketing" queues would be tied to the "root" queue as follows:
    <property>
     <name>yarn.scheduler.capacity.root.acl_submit_applications</name>
     <value> </value>
    </property>
    
    <property>
     <name>yarn.scheduler.capacity.root.support.acl_submit_applications</name>
     <value>sherlock,pacioli cfo-group</value>
    </property>

    A separate ACL can be used to control the administration of queues at various levels. Queue administrators can submit applications to the queue, kill applications in the queue, and obtain information about any application in the queue (whereas normal users are restricted from viewing all of the details of other users' applications).

    Administrator ACLs are configured with the acl_administer_queue property. ACLs for this property are inherited from the parent queue if not specified. For example, the following properties would set the root acl_administer_queue value to "" (space character) to block access to all users and groups, and also grant administrator access to its child "support" queue to the users "sherlock" and "pacioli" and the members of the "cfo- group" group:

    <property>
     <name>yarn.scheduler.capacity.root.acl_administer_queue</name>
     <value> </value>
    </property>
    
    <property>
     <name>yarn.scheduler.capacity.root.support.acl_administer_queue</name>
     <value>sherlock,pacioli cfo-group</value>
    </property>