hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2435) Capacity scheduler should only allow Kill Application Requests from ADMINISTER_QUEUE users
Date Thu, 21 Aug 2014 15:25:11 GMT

    [ https://issues.apache.org/jira/browse/YARN-2435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14105462#comment-14105462
] 

Varun Vasudev commented on YARN-2435:
-------------------------------------

[~MeMir] I think you're missing a setting in your yarn-site.xml. You need to set "yarn.acl.enable"
to true and "yarn.admin.acl" to the users and/or groups who are administrators. You can find
more details [here|http://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-common/yarn-default.xml].

When an request to kill an app is submitted, YARN checks for administrator privileges and
queue administrator privileges. If yarn.acl.enable is set to false(by default), any user can
kill any app. In addition, please don't forget to set yarn.admin.acl to the admin users because
the default for that is "*" which also means that any user is an admin.

> Capacity scheduler should only allow Kill Application Requests from ADMINISTER_QUEUE
users
> ------------------------------------------------------------------------------------------
>
>                 Key: YARN-2435
>                 URL: https://issues.apache.org/jira/browse/YARN-2435
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: capacityscheduler
>    Affects Versions: 2.5.0, 2.4.1
>         Environment: Red Hat Enterprise Linux Server release 6.4 (Santiago);  Linux 2.6.32-358.el6.x86_64
GNU/Linux; 
> $JAVA_HOME/bin/java -version
> java version "1.7.0_55"
> OpenJDK Runtime Environment (rhel-2.4.7.1.el6_5-x86_64 u55-b13)
> OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
>            Reporter: Amir Mal
>
> A user without ADMINISTER_QUEUE privilege can kill application from all queues.
> to replicate the bug:
> 1) install cluster with {{yarn.resourcemanager.scheduler.class}} set to org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.*CapacityScheduler*
> 2) created 2 users (user1, user2) each belong to a separate group (group1, group2)
> 3) set {{acl_submit_applications}} and {{acl_administer_queue}} of the {{root}} and {{root.default}}
queues to group1
> 4) submit job to {{default}} queue by user1
> {quote}
> [user1@htc2n3 ~]$ mapred  queue -showacls
> ...
> Queue acls for user :  user1
> Queue  Operations
> =====================
> root  ADMINISTER_QUEUE,SUBMIT_APPLICATIONS
> default  ADMINISTER_QUEUE,SUBMIT_APPLICATIONS
> [user1@htc2n3 ~]$ yarn  jar /opt/apache/hadoop-2.5.0/share/hadoop/mapreduce/hadoop-mapreduce-examples-2.4.1.jar
pi -Dmapreduce.job.queuename=default 4 1000000000
> {quote}
> 5) kill the application by user2
> {quote}
> [user2@htc2n4 ~]$ mapred  queue -showacls
> ...
> Queue acls for user :  user2
> Queue  Operations
> =====================
> root
> default
> [user2@htc2n4 ~]$ yarn application -kill application_1408540602935_0004
> ...
> Killing application application_1408540602935_0004
> 14/08/21 14:37:54 INFO impl.YarnClientImpl: Killed application application_1408540602935_0004
> {quote}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message