Hi All,
On Hadoop-2.7.1, Yarn CapaictyScheduler, a x user can kill the job
submitted by yarn user even though the x user does not have administer acl
on the queue. The queue -showacls does not show ADMINISTER_QUEUE on that
queue for x user but since yarn.admin.acl is *, it allows x to kill the
job. If we set yarn.admin.acl as yarn, then it works fine but which won't
allow all users to view all jobs in RM UI for secure cluster. So, how to
restrict some x user from killing other user job with yarn.admin.acl as *.
yarn.admin.acl *
yarn.acl.enable true
yarn.scheduler.capacity.root.test.acl_administer_queue=yarn,
yarn.scheduler.capacity.root.test.acl_submit_applications=*
yarn.scheduler.capacity.root.acl_administer_queue=yarn,
yarn.scheduler.capacity.root.acl_submit_applications=*
[x@spark3 root]$ hadoop queue -showacls
Queue acls for user : x
Queue Operations
=====================
root SUBMIT_APPLICATIONS
129671_test1 SUBMIT_APPLICATIONS
default SUBMIT_APPLICATIONS
Thanks,
Prabhu Joseph
