说实话,再次为自己的垃圾英语阅读能力,感到蛋疼
1.参考HDP官网:https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.0/bk_yarn-resource-management/content/controlling_access_to_queues_with_acls.html
The value of acl_submit_applications
can also be set to "*" (asterisk) to allow access to all users and groups, or can be set to "" (space character) to block access to all users and groups.
As mentioned previously, ACL settings on a parent queue are applied to all of its descendant queues. Therefore, if the parent queue uses the "*" (asterisk) value (or is not specified) to allow access to all users and groups, its child queues cannot restrict access. Similarly, before you can restrict access to a child queue, you must first set the parent queue to "" (space character) to block access to all users and groups.
2.HDP默认支持的是容量调度器(没尝试修改为fair),若想开启队列的acl权限控制,则需要做两点
(1)yarn-site.xml要配置yarn.acl.enable=true,此属性默认值为false
(2)叶子队列若想实现acl权限控制,那么还需要在父队列配置其Administer Queue和Submit Applications俩个属性为空字符串:""
3.eg:
(1)首先配置根队列root(必做):
(2)第二步以父队列test为例,说明如何配置才能实现队列的acl控制。
(3)最后配置test队列的两个子队列hadoop和root1:
hadoop队列配置如下:只允许hadoop用户提交和管理hadoop队列:
root1队列配置如下:只允许root用户提交和管理root1队列:
(4)注意点:
注1:虽然我们设置的队列,显示为:
但是我们在使用的时候只需要使用root1和hadoop就行,因为你就算使用root.test.root1或者test.root1,都会提示 unknown queue ***,说明这个名字是不认得。
注2:hdp配置的对列具有唯一性,不能再不同的父队列的子队列中配置相同的队列。
(5)测试略,没时间截图了。
(6)参考:https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.0/bk_yarn-resource-management/content/default_queue_mapping_based_on_user_or_group.html#enable_override_of_default_queue_mappings
https://mp.weixin.qq.com/s/xZT8oQ1SUnxXxCTHkmA8Ig
队列映射策略:如果已配置,则可以覆盖默认队列映射,并提交为队列指定的应用程序,而不是在默认队列映射中定义的应用程序。默认情况下,覆盖默认队列映射是禁用的(设置为false
)。
注:一下所有测试语句,均为如下,不显示指定任何队列:
hadoop jar /usr/hdp/2.6.0.3-8/hadoop-mapreduce/hadoop-mapreduce-examples-2.7.3.2.6.0.3-8.jar pi 10 10
1.u:%user:%user
To specify that all applications are submitted to the queue with the same name as a user, use this mapping assignment:
u:%user:%user
This requires that queues are set up with the same name as the users. With this queue mapping, applications submitted by user "greg" will be submitted to the queue "greg".
eg:
由于root队列是根队列,没有设置任何权限去提交,故此例失败了。
2.u:%user:%primary_group
To specify that all applications are submitted to the queue with the same name as a group, use this mapping assignment:
u:%user:%primary_group
疑问:这块的用户向用户所在组提交队列是生效的,但是有个问题就是,hadoop集群如何修改用户的组?这块不知道如何操作,这块了解后,才是这个参数的最大用处。
3.u:user1:queueA and g:group1:queueB
To specify that all applications submitted by a specific user are submitted to a specific queue, use the following mapping assignment:
u:user1:queueA
This defines a mapping assignment for applications submitted by the "user1" user to be submitted to queue "queueA" by default.
To specify that all applications submitted by a specific group of users are submitted to a specific queue, use the following mapping assignment:
g:group1:queueB
This defines a mapping assignment for applications submitted by any user in the group "group1" to be submitted to queue "queueB" by default.
eg1:
g:wkz:hadoop
指定wkz组的用户提交到root1队列,未实现。
不知道为啥不往hadoop对列提交job。
eg2:u:root:hadoop,u:hadoop:root1,g:wkz:hadoop
指定root用户提交到hadoop用户,然后发现配置确实生效了,但是却无法提交,需要修改队列的具体权限,如下:
或者可以改为具体用户(eg:root ),如下结果显示,已运行成功。
4.总结
1.定义默认的映射策略(Mapping),可以让用户在不指定队列提交job时,按照配置的队列去提交job。
2.在勾选了Override Queue Mappings配置后,用户在指定提交的队列后,可以跳过配置的队列映射,而提交到用户指定的资源池队列中;(实际测试,勾选不勾选,用户都可以提交到指定的队列,这块搞不懂,不知道我那块理解的不对)
3.队列映射是使用逗号来进行分隔多个映射的,但是每个队列必须是已经存在的队列,不然无法保存。