Queue Access Control Lists

Describes how to restrict access to queues using Access Control Lists (ACLs).

Queue Access Control List (ACL)s allow administrators to control who may take actions on particular queues. They are configured with the following properties:

yarn.scheduler.capacity.root.support.acl_submit_applications
yarn.scheduler.capacity.root.support.acl_administer_queue

You can set these properties for each queue. Currently, the only supported administrative action is killing an application. Anyone who has permission to administer a queue may also submit applications to it. These properties take values in a format such as user1,user2 group1,group2 or group1,group2. An action on a queue is permitted if its user or group is in the ACL of that queue, or in the ACL of any of that queue's ancestors. So if queue2 is inside queue1, and user1 is in queue1's ACL, and user2 is in queue2's ACL, then both users may submit to queue2.

The root queue's ACLs are "*" by default. Since ACL are passed down, by default, everyone may submit to, and kill applications from every queue. To restrict access, change the root queue's ACLs to something other than *.

By default, the yarn.admin.acl property in yarn-site.xml is also set to *, which means that any user can be the administrator. If queue ACLs are enabled, you also need to set the yarn.admin.acl property to the correct admin user for the YARN cluster. For example:

<property>
<name>yarn.admin.acl</name> > 
<value>mapr</value> > 
</property>

If you do not set this property correctly, users can kill YARN jobs even when they do not have access to the queues for those jobs.