Access control in Tez can be categorized as follows:
From the above, you can see that All users/groups that have access to do operations on the AM also have access to similar operations on all DAGs within that AM/session. Also, by default, the owner of the Tez AM, i.e. the user who started the Tez AM, is considered a super-user and has access to all operations on the AM as well as all DAGs within the AM/Session.
Support for ACLs was introduced in Tez 0.5.0. Integration of these ACLs with YARN Timeline is only available from Tez 0.6.0 onwards.
By default, ACLs are always enabled in Tez. To disable ACLs, set the following configuration property:
<property>
<name>tez.am.acls.enabled</name>
<value>false</value>
</property>
AM/Session level ACLs are driven by configuration. To setup the ACLs, the following properties need to be defined:
<property>
<name>tez.am.view-acls</name>
<value></value>
</property>
<property>
<name>tez.am.modify-acls</name>
<value></value>
</property>
The format of the value is a comma-separated list of users and groups with the users and groups separated by a single whitespace. e.g. “user1,user2 group1,group2”. To allow all users to do a given operation, the value “*” can be specified.
In certain scenarios, applications may need DAGs running within a given Session to have different access permissions. In such cases, the ACLs for each DAG can be specified programmatically via the DAG API. Look for DAG::setAccessControls in the API docs for the Tez release that you are using. In this scenario, it is important to note that the Session ACLs should be defined with only super-users specified to ensure that other users do not inadvertently gain access to information for all DAGs within the given Session.