[ https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811950#comment-16811950 ]
Szilard Nemeth commented on YARN-9445: -------------------------------------- [~sunilg], [~bibinchundatt]: I'm confused. Reading the 3.2.0 docs (https://hadoop.apache.org/docs/r3.2.0/hadoop-yarn/hadoop-yarn-site/FairScheduler.html#Queue_Access_Control_Lists for FS/ACLs) says: "Queue Access Control Lists (ACLs) allow administrators to control who may take actions on particular queues. They are configured with the aclSubmitApps and aclAdministerApps properties, which can be set per queue. Currently the only supported administrative action is killing an application. An administrator may also submit applications to it." In this sense, aclAdministerApps not only gives permissions to execute admin operations but also gives submiasion permissions to queues. For me, not giving an administrator rights to everything seems controversial, so the documentation is more logical. All in all, if we go with the direction that admins son't get submiasion rights then we should alao make sure the documentation is in line with the decision. I do agree with [~eyang] about restricting the default admin ACL to aomething else than '*' but this requires a follow-up jira, I think. > yarn.admin.acl is futile > ------------------------ > > Key: YARN-9445 > URL: https://issues.apache.org/jira/browse/YARN-9445 > Project: Hadoop YARN > Issue Type: Bug > Components: security > Affects Versions: 3.3.0 > Reporter: Peter Simon > Assignee: Gergely Pollak > Priority: Major > Attachments: YARN-9445.001.patch > > > * Define a queue with restrictive administerApps settings (e.g. yarn) > * Set yarn.admin.acl to "*". > * Try to submit an application with user yarn, it is denied. > This way my expected behaviour would be that while everyone is admin, I can > submit to whatever pool. > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org