[ https://issues.apache.org/jira/browse/MAPREDUCE-3903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13217690#comment-13217690 ]
Thomas Graves commented on MAPREDUCE-3903: ------------------------------------------ Ok, so it looks like there are a few bugs in the code. Here is basically what I am planning implementing: - yarn acls/application acls are separate from mapreduce acls. They only control what a user can view/modify on the RM. This include the admins as well. So yarn.admins do not apply to AM/history server. - mapreduce job acls are put into application acls when application is submitted (this didn't change) - the mapreduce application master and mapreduce job history server purely use the mapreduce job acls - this includes mapreduce.cluster.acls.enabled, mapreduce.cluster.administrators, acl-view-job, and acl-modify-job. This separates out yarn from mapreduce so that someone could be admin for mapreduce without being yarn admin and when other apps are ported to yarn, they can be separate too. The reason I don't have yarn admins apply to job history server is because the job history server is a mapreduce only component and shouldn't be looking at the yarn configs. The only problem with this still is it appears the AM and job history server are using the job configuration so the user can override the settings - this is bad!! I need to investigate that more. > no admin override to view jobs on mr app master and job history server > ---------------------------------------------------------------------- > > Key: MAPREDUCE-3903 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-3903 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: mrv2 > Reporter: Thomas Graves > Assignee: Thomas Graves > Priority: Critical > Fix For: 0.23.0 > > > in 1.0 there was a config mapreduce.cluster.administrators that allowed > administrators to view anyones job. That no longer works on yarn. > yarn has the new config yarn.admin.acl but it appears the mr app master and > job history server don't use that. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira