[ https://issues.apache.org/jira/browse/YARN-6842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16105120#comment-16105120 ]
YunFan Zhou commented on YARN-6842: ----------------------------------- Thank Naganarasimha G R, In fact, the original intention of the development of this feature was to solve the user authentication of RM Web UI. The RM Web UI has no user authentication by default. Therefore, all users who login RM WEB UI by default are use user Dr. Who (this is a YARN configuration decision). Before we did not open YARN user authentication (i.e. yarn.acl.enable set to false, yarn.admin.acl is set to * by default), we found that other users can also through the RM WEB UI kill other user's application, which can cause many users application failed. Therefore, we set the* yarn.acl.enable* to true , and set the *yarn. admin.acl* to the administrator account. However, there is a problem with this, which is that the *dr. who* (common account) is not authorized to view the applications of any queue unless the queue's *aclAdministerApps*(for the FairScheduler scenario) is set the user or *. So, the easiest way to solve this problem is to provide a VIEW_APP permissions for queue. And we only authorize user read permissions. This allows the user to view the applications of the queue properly, but not because the administrator privileges cause unnecessary misoperation to kill other users applications. So, I think this feature is very useful to me, and I think other users will have the same scenario. > Implement a new access type for queue > ------------------------------------- > > Key: YARN-6842 > URL: https://issues.apache.org/jira/browse/YARN-6842 > Project: Hadoop YARN > Issue Type: Improvement > Components: scheduler > Affects Versions: 2.8.2 > Reporter: YunFan Zhou > Assignee: YunFan Zhou > Attachments: YARN-6842.001.patch, YARN-6842.002.patch, > YARN-6842.003.patch > > > When we want to access applications of a queue, only we can do is become the > administer of the queue at present. > But sometimes we only want authorize someone view applications of a queue > but not modify operation. > In our current mechanism there isn't any way to meet it, so I will implement > a new access type for queue to solve > this problem. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org