Configuring the Yarn Permission Control
Scenario
In a multi-tenant security mode, multiple users can share a cluster, submit, and execute their tasks without seeing each other's information. To prevent users from accessing each other's task details, a permission control system is necessary.
For example, if user B logs in to the system and views the application list when the application submitted by user A is running, user B should not be able to view the application information of user A.
Configuration Description
- Viewing Yarn configuration parameters
Go to the All Configurations page of Yarn and enter a parameter name list in Table 1 in the search box by referring to Modifying Cluster Service Configuration Parameters.
Table 1 Parameter description Parameter
Description
Default Value
yarn.acl.enable
Whether to enable Yarn permission control
true
yarn.webapp.filter-entity-list-by-user
Whether to enable the strict view function. After this function is enabled, a login user can view only the content that the user has the permission to view. To enable this function, set yarn.acl.enable to true.
NOTE:This parameter applies to clusters of MRS 3.x or later.
true
- Viewing MapReduce configuration parameters
Go to the All Configurations page of MapReduce and search for a parameter name in Table 2. For details, see Modifying Cluster Service Configuration Parameters.
Table 2 Parameter description Parameter
Description
Default Value
mapreduce.cluster.acls.enabled
Whether to enable permission control of MapReduce JobHistoryServer This parameter is a client parameter and takes effect after permission control is enabled on the JobHistoryServer server.
true
yarn.webapp.filter-entity-list-by-user
Whether to enable the strict view of MapReduce JobHistoryServer. After the strict view is enabled, a login user can view only the content that the user has the permission to view. This parameter is a server parameter of JobHistoryServer. It indicates that permission control is enabled for JHS. However, whether to control a specific application is determined by the client parameter mapreduce.cluster.acls.enabled.
NOTE:This parameter applies to clusters of MRS 3.x or later.
true
The preceding configurations affect the RESTful API and Shell command results. After the preceding configurations are enabled, the return results of RESTful API calls and shell commands contain only the information that the user has the permission to view.
If yarn.acl.enable or mapreduce.cluster.acls.enabled is false, the Yarn or MapReduce permission verification function is disabled. In this case, any user can submit tasks and view task information on Yarn or MapReduce, which poses security risks. Exercise caution when performing this operation.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.