Return-Path: X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D04AF11DDB for ; Mon, 25 Aug 2014 06:48:58 +0000 (UTC) Received: (qmail 71389 invoked by uid 500); 25 Aug 2014 06:48:58 -0000 Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org Received: (qmail 71328 invoked by uid 500); 25 Aug 2014 06:48:58 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: yarn-issues@hadoop.apache.org Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 71000 invoked by uid 99); 25 Aug 2014 06:48:58 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Aug 2014 06:48:58 +0000 Date: Mon, 25 Aug 2014 06:48:58 +0000 (UTC) From: "Amir Mal (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (YARN-2435) Capacity scheduler should only allow Kill Application Requests from ADMINISTER_QUEUE users MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/YARN-2435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Amir Mal resolved YARN-2435. ---------------------------- Resolution: Invalid I was missing the following setting in my yarn-site.xml: "yarn.acl.enable" => true "yarn.admin.acl" => > Capacity scheduler should only allow Kill Application Requests from ADMINISTER_QUEUE users > ------------------------------------------------------------------------------------------ > > Key: YARN-2435 > URL: https://issues.apache.org/jira/browse/YARN-2435 > Project: Hadoop YARN > Issue Type: Bug > Components: capacityscheduler > Affects Versions: 2.5.0, 2.4.1 > Environment: Red Hat Enterprise Linux Server release 6.4 (Santiago); Linux 2.6.32-358.el6.x86_64 GNU/Linux; > $JAVA_HOME/bin/java -version > java version "1.7.0_55" > OpenJDK Runtime Environment (rhel-2.4.7.1.el6_5-x86_64 u55-b13) > OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) > Reporter: Amir Mal > > A user without ADMINISTER_QUEUE privilege can kill application from all queues. > to replicate the bug: > 1) install cluster with {{yarn.resourcemanager.scheduler.class}} set to org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.*CapacityScheduler* > 2) created 2 users (user1, user2) each belong to a separate group (group1, group2) > 3) set {{acl_submit_applications}} and {{acl_administer_queue}} of the {{root}} and {{root.default}} queues to group1 > 4) submit job to {{default}} queue by user1 > {quote} > [user1@htc2n3 ~]$ mapred queue -showacls > ... > Queue acls for user : user1 > Queue Operations > ===================== > root ADMINISTER_QUEUE,SUBMIT_APPLICATIONS > default ADMINISTER_QUEUE,SUBMIT_APPLICATIONS > [user1@htc2n3 ~]$ yarn jar /opt/apache/hadoop-2.5.0/share/hadoop/mapreduce/hadoop-mapreduce-examples-2.4.1.jar pi -Dmapreduce.job.queuename=default 4 1000000000 > {quote} > 5) kill the application by user2 > {quote} > [user2@htc2n4 ~]$ mapred queue -showacls > ... > Queue acls for user : user2 > Queue Operations > ===================== > root > default > [user2@htc2n4 ~]$ yarn application -kill application_1408540602935_0004 > ... > Killing application application_1408540602935_0004 > 14/08/21 14:37:54 INFO impl.YarnClientImpl: Killed application application_1408540602935_0004 > {quote} -- This message was sent by Atlassian JIRA (v6.2#6252)