Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The mapred-site.xml options mapreduce.job.acl-modify-job and mapreduce.job.acl-view-job both specify that queue ACLs should apply for read and modify operations on a job, however according to org.apache.hadoop.yarn.server.security.ApplicationACLsManager.java this feature has not been implemented.
This is very important otherwise it is difficult to manage a cluster with a complicated queue hierarchy without either putting everyone in the admin ACL, getting many support tickets or asking people to remember to set mapreduce.job.acl-modify-job and mapreduce.job.acl-view-job.
Extract from mapred-default.xml:
Irrespective of this ACL configuration, (a) job-owner, (b) the user who started the cluster, (c) members of an admin configured supergroup configured via mapreduce.cluster.permissions.supergroup and (d) queue administrators of the queue to which this job was submitted to configured via acl-administer-jobs for the specific queue in mapred-queues.xml can do all the view operations on a job.