From yarn-dev-return-24141-apmail-hadoop-yarn-dev-archive=hadoop.apache.org@hadoop.apache.org Fri Jul 1 10:06:54 2016 Return-Path: X-Original-To: apmail-hadoop-yarn-dev-archive@minotaur.apache.org Delivered-To: apmail-hadoop-yarn-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DDC73192E4 for ; Fri, 1 Jul 2016 10:06:54 +0000 (UTC) Received: (qmail 52361 invoked by uid 500); 1 Jul 2016 10:06:53 -0000 Delivered-To: apmail-hadoop-yarn-dev-archive@hadoop.apache.org Received: (qmail 52256 invoked by uid 500); 1 Jul 2016 10:06:53 -0000 Mailing-List: contact yarn-dev-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-dev@hadoop.apache.org Received: (qmail 51910 invoked by uid 99); 1 Jul 2016 10:06:52 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jul 2016 10:06:52 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 3A16A187CC2 for ; Fri, 1 Jul 2016 10:06:52 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 8hQSNZiN0Flv for ; Fri, 1 Jul 2016 10:06:50 +0000 (UTC) Received: from mail-qk0-f181.google.com (mail-qk0-f181.google.com [209.85.220.181]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 1DABD5F19A for ; Fri, 1 Jul 2016 10:06:50 +0000 (UTC) Received: by mail-qk0-f181.google.com with SMTP id o76so79859620qke.0 for ; Fri, 01 Jul 2016 03:06:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Uea+DeoJce/KYpotD2xz1V9sclmtj0R4uj6XuGx8MJ4=; b=VJYxMrjAlLO4myoyNpFbX5iNrjQZFHAWm0r3qEraQuVZDok3f75l7byRvDoMLoT7Tk lB7M75na5LlmmF8BSPmbFl+nfXl0kdkzjXc2iep6LhZaH85oYSfq+fMkDHdz14bCelgF Lhf4dM9i7OAF8TiNnKak8rKuNhXdef+wKSy4WTJp3vwF0L8YFwmmSGDDj5Bw3NcfP7T2 pQtd/oeqVvSMckvMuiTiQAOgAMB8L3xlseef2DCYrlRrIZ8Z7ukS11f8yeRHhgRiaeCd 1ZzG+goG8X5d7m1gB3j4SH+sqHm9vweLqYj1iwFqTgd1Xbbtatubxo2BWm5koQGWnFFQ 1z9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Uea+DeoJce/KYpotD2xz1V9sclmtj0R4uj6XuGx8MJ4=; b=d21ulaEjOHfZ6VLTX9ueGo7r7HUsaTOWPrR9sf41FTxVWg4Wra4u9WbTornwwK71M3 ohBAJE74U3raxlrJfouYiBz+0jRPcLmsEniJi7Xl/TZonBdKiHUArUJzFa19F+Ud51/n oOeIr700GoBdllM1hDk/q/bhIOjFFwGg+7fQl7cklFq6aoMp7exR44a8ckxGbM8j+DMY J2ojXSxNbBdTGMU/Ic/WI8i7lTOga7uy0tidVfdvgrs+ya15TYakJESZVp+hMno3Hu9o 4dbEXbOzrYavqJ6/Plf+1xfntqn96F4RL/gNtm3Zyw1cBicIkFS3UXZSRFSvtCsVOlli 7n9g== X-Gm-Message-State: ALyK8tIm7ygCGEh5AQX8s1Vfa+H3qjYpCWTHZBALrO62QipP/frVZXV2FY3hbOyam1IpnAL+WZF37bLyo57x+w== X-Received: by 10.37.116.207 with SMTP id p198mr8304715ybc.32.1467367609178; Fri, 01 Jul 2016 03:06:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.97.137 with HTTP; Fri, 1 Jul 2016 03:06:48 -0700 (PDT) In-Reply-To: References: From: Prabhu Joseph Date: Fri, 1 Jul 2016 15:36:48 +0530 Message-ID: Subject: Re: Queue ACLs overridden by yarn.admin.acl To: Sunil Govind Cc: yarn-dev@hadoop.apache.org Content-Type: multipart/alternative; boundary=94eb2c09376019a56505369025a1 --94eb2c09376019a56505369025a1 Content-Type: text/plain; charset=UTF-8 Thanks Sunil. Yes, it would be nice to have acl_view_applications on queue similar to acl_administer_queue. A user can kill other user's job with acl_administer_queue. Similarly, a user can be made to view other user's job with acl_view_applications. On Fri, Jul 1, 2016 at 1:40 PM, Sunil Govind wrote: > Hi Prabhu > > If "yarn.admin.acl" is configured with "yarn", then "yarn" user can be > used to administer apps in cluster generally. This is handled as per admin > ACLs. Similarly CS also have Queue ACLs, and these ACLs can be set per > queue level. > > So as per you example (with some minor changes) > yarn.admin.acl yarn > yarn.acl.enable true > > yarn.scheduler.capacity.root.test.acl_administer_queue=x > yarn.scheduler.capacity.root.test.acl_submit_applications=* > yarn.scheduler.capacity.root.acl_administer_queue=yarn, > yarn.scheduler.capacity.root.acl_submit_applications=* > > Users "yarn" and "x" can have administer access in queue "test". Other > users now cannot access apps submitted from "yarn" and "x" user. > > It seems like, you are looking for a read-only user who can view all apps > in a queue/queues from UI or from cli. As I see it, we do not have such an > option yet, and seems like you are looking for "acl_view_applications" > mode. This comes with a complexity as we need clear separation in client > apis (read-only vs read-write) for VIEW ACLs. Thoughts? > > > Thanks > Sunil > > On Thu, Jun 30, 2016 at 11:21 PM Prabhu Joseph > wrote: > >> Hi All, >> >> On Hadoop-2.7.1, Yarn CapaictyScheduler, a x user can kill the job >> submitted by yarn user even though the x user does not have administer acl >> on the queue. The queue -showacls does not show ADMINISTER_QUEUE on that >> queue for x user but since yarn.admin.acl is *, it allows x to kill the >> job. If we set yarn.admin.acl as yarn, then it works fine but which won't >> allow all users to view all jobs in RM UI for secure cluster. So, how to >> restrict some x user from killing other user job with yarn.admin.acl as *. >> >> yarn.admin.acl * >> yarn.acl.enable true >> >> yarn.scheduler.capacity.root.test.acl_administer_queue=yarn, >> yarn.scheduler.capacity.root.test.acl_submit_applications=* >> yarn.scheduler.capacity.root.acl_administer_queue=yarn, >> yarn.scheduler.capacity.root.acl_submit_applications=* >> >> >> [x@spark3 root]$ hadoop queue -showacls >> Queue acls for user : x >> >> Queue Operations >> ===================== >> root SUBMIT_APPLICATIONS >> 129671_test1 SUBMIT_APPLICATIONS >> default SUBMIT_APPLICATIONS >> >> Thanks, >> Prabhu Joseph >> > --94eb2c09376019a56505369025a1--