下面是我的调度程序xml文件,我限制了对根队列的访问,其中dev2,qa2用户只应提交给他们的队列。但我也可以作为dev2用户向QA队列提交作业,这不应该发生,我也在RANGER YARN政策中进行了相应的修改。禁用所有队列访问所有用户的超级策略,请指教。
yarn.scheduler.capacity.root.default.user-limit-factor=1
yarn.scheduler.capacity.root.default.state=RUNNING
yarn.scheduler.capacity.root.default.maximum-capacity=40
yarn.scheduler.capacity.root.default.capacity=40
yarn.scheduler.capacity.root.default.acl_submit_applications=
yarn.scheduler.capacity.root.default.acl_administer_jobs=
yarn.scheduler.capacity.root.capacity=100
yarn.scheduler.capacity.root.acl_administer_queue=
yarn.scheduler.capacity.root.accessible-node-labels=*
yarn.scheduler.capacity.node-locality-delay=40
yarn.scheduler.capacity.maximum-applications=10000
yarn.scheduler.capacity.maximum-am-resource-percent=0.2
yarn.scheduler.capacity.default.minimum-user-limit-percent=100
capacity-scheduler=null
yarn.scheduler.capacity.root.queues=dev,qa,default
yarn.scheduler.capacity.root.acl_administer_jobs=
yarn.scheduler.capacity.root.default.acl_administer_queue=
yarn.scheduler.capacity.root.default.user-limit=1
yarn.scheduler.capacity.root.dev.acl_submit_applications=dev2
yarn.scheduler.capacity.root.dev.capacity=30
yarn.scheduler.capacity.root.dev.maximum-capacity=30
yarn.scheduler.capacity.root.dev.user-limit=1
yarn.scheduler.capacity.root.qa.acl_submit_applications=qa2
yarn.scheduler.capacity.root.qa.capacity=30
yarn.scheduler.capacity.root.qa.maximum-capacity=30
yarn.scheduler.capacity.root.qa.user-limit=1
答案 0 :(得分:0)
您错过了阻止访问root队列的属性。
此处root是dev和qa子队列的父队列。对此队列的访问不受限制,因此所有用户和组都可以访问此队列及其子队列。
将此属性添加到capacity-scheduler.xml,
<property>
<name>yarn.scheduler.capacity.root.acl_submit_applications</name>
<value> </value>
</property>
这会阻止对所有用户和组的root队列的访问,然后为子队列提供的acls将按照定义限制。