[ https://issues.apache.org/jira/browse/YARN-2435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14105462#comment-14105462 ]
Varun Vasudev commented on YARN-2435: ------------------------------------- [~MeMir] I think you're missing a setting in your yarn-site.xml. You need to set "yarn.acl.enable" to true and "yarn.admin.acl" to the users and/or groups who are administrators. You can find more details [here|http://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-common/yarn-default.xml]. When an request to kill an app is submitted, YARN checks for administrator privileges and queue administrator privileges. If yarn.acl.enable is set to false(by default), any user can kill any app. In addition, please don't forget to set yarn.admin.acl to the admin users because the default for that is "*" which also means that any user is an admin. > Capacity scheduler should only allow Kill Application Requests from > ADMINISTER_QUEUE users > ------------------------------------------------------------------------------------------ > > Key: YARN-2435 > URL: https://issues.apache.org/jira/browse/YARN-2435 > Project: Hadoop YARN > Issue Type: Bug > Components: capacityscheduler > Affects Versions: 2.5.0, 2.4.1 > Environment: Red Hat Enterprise Linux Server release 6.4 (Santiago); > Linux 2.6.32-358.el6.x86_64 GNU/Linux; > $JAVA_HOME/bin/java -version > java version "1.7.0_55" > OpenJDK Runtime Environment (rhel-2.4.7.1.el6_5-x86_64 u55-b13) > OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) > Reporter: Amir Mal > > A user without ADMINISTER_QUEUE privilege can kill application from all > queues. > to replicate the bug: > 1) install cluster with {{yarn.resourcemanager.scheduler.class}} set to > org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.*CapacityScheduler* > 2) created 2 users (user1, user2) each belong to a separate group (group1, > group2) > 3) set {{acl_submit_applications}} and {{acl_administer_queue}} of the > {{root}} and {{root.default}} queues to group1 > 4) submit job to {{default}} queue by user1 > {quote} > [user1@htc2n3 ~]$ mapred queue -showacls > ... > Queue acls for user : user1 > Queue Operations > ===================== > root ADMINISTER_QUEUE,SUBMIT_APPLICATIONS > default ADMINISTER_QUEUE,SUBMIT_APPLICATIONS > [user1@htc2n3 ~]$ yarn jar > /opt/apache/hadoop-2.5.0/share/hadoop/mapreduce/hadoop-mapreduce-examples-2.4.1.jar > pi -Dmapreduce.job.queuename=default 4 1000000000 > {quote} > 5) kill the application by user2 > {quote} > [user2@htc2n4 ~]$ mapred queue -showacls > ... > Queue acls for user : user2 > Queue Operations > ===================== > root > default > [user2@htc2n4 ~]$ yarn application -kill application_1408540602935_0004 > ... > Killing application application_1408540602935_0004 > 14/08/21 14:37:54 INFO impl.YarnClientImpl: Killed application > application_1408540602935_0004 > {quote} -- This message was sent by Atlassian JIRA (v6.2#6252)