Current implementation of Ranger YARN plugin creates Ranger policies for ACLs specified in YARN configuration files. When the resource manager is restarted with a different ACL configuration, the Ranger policies created for earlier YARN ACLs would still be evaluated and might allow accesses that are not currently configured in YARN ACL.
To fix this issue, the plugin should keep YARN ACLs in memory, instead of creating Ranger policies for them, and evaluate them only when Ranger policies are unable to determine the authorization.