Use the Security HTTP RESTful API Microservices to manage privileges (authorization) of users on CDAP entities as well as manage secure storage.
...
All methods or endpoints described in this API have a base URL (typically http://<host>:11015
or https://<host>:10443
) that precedes the resource identifier, as described in the RESTful API Conventions. These methods return a status code, as listed in the RESTful API Status Codes.
Authorization
Use the CDAP Authorization HTTP RESTful API to grant, revoke, and list privileges on CDAP entities. Details about authorization in CDAP can be found at Authorization.
...
The actions
list contains the actions you want to grant the principal
on the entity
. The supported actions are READ
, WRITE
, ADMIN
, and EXECUTE
.
Grant Privileges
You can grant privileges to a principal on a CDAP Entity by making an HTTP POST request to the URL:
...
Granting privileges is only supported for ROLE
type.
HTTP Responses
Status Codes | Description |
---|---|
| Privileges were successfully granted for the specified principal. |
Revoke Privileges
You can revoke privileges for a principal on a CDAP Entity by making an HTTP POST request to the URL:
...
If both
principal
andactions
are not provided, then the API revokes all privileges on the specified entity for all principals.If
authorizable
andprincipal
are provided, butactions
is not, the API revokes all actions (READ
,WRITE
,ADMIN
, andEXECUTE
) on the specified entity for the specified principal.Revoking privileges is only supported for
ROLE
type.
HTTP Responses
Status Codes | Description |
---|---|
| Privileges were successfully revoked. |
List Privileges
You can list all privileges for a principal on all CDAP entities by making an HTTP GET request to the URL:
...
Parameter | Description |
---|---|
| The principal type, one of |
| Name of the principal. |
HTTP Responses
Status Codes | Description |
---|---|
| Privileges were successfully listed for the specified principal. |
...
Listing privileges are supported for USER
, GROUP
and ROLE
type.
Secure Storage
Use the Secure Storage HTTP RESTful API to create, retrieve, and delete secure keys.
Details about secure storage and secure keys in CDAP can be found in Secure Storage.
Create a Secure Key
You can create a secure key to secure storage by making an HTTP PUT request to the URL:
...
Parameter | Description |
---|---|
| Namespace ID. |
| Name of the key to add to secure storage. |
| String data to be added under the key. This could be a passphrase, cryptographic key, access token, service account JSON, or any other data that needs to be stored securely. Note: If you want to create a secure key for a Service Account in a Compute Profile for a Dataproc cluster, you must convert the service account JSON to a valid string, which means it must be converted into a single-line JSON string and all quotes need to be escaped. |
| Name of a property key to associate with the secure key. |
| Value associated with the property key. |
HTTP Responses
Status Codes | Description |
---|---|
| The secure key was successfully added to secure storage. |
| An incorrectly-formatted body was sent with the request or the |
| The namespace specified in the request does not exist. |
Retrieve a Secure Key
You can retrieve a secure key from secure storage by making an HTTP GET request to the URL:
...
Parameter | Description |
---|---|
| Namespace ID. |
| Name of the key to retrieve from secure storage. |
HTTP Responses
Status Codes | Description |
---|---|
| The secure key was successfully retrieved. |
| The namespace specified in the request does not exist or the secure key with that name does not exist in that namespace. |
Retrieve the Metadata for a Secure Key
You can retrieve just the metadata for a secure key from secure storage by making an HTTP GET request to the URL:
...
Parameter | Description |
---|---|
| Namespace ID. |
| Name of the key to retrieve from secure storage. |
HTTP Responses
Status Codes | Description |
---|---|
| Metadata for the secure key was successfully retrieved. |
| The namespace specified in the request does not exist or a secure key by the specified name does not exist in the specified namespace. |
List all Secure Keys
You can retrieve all the keys in a namespace from secure storage by making an HTTP GET request to the URL:
...
Parameter | Description |
---|---|
| Namespace ID. |
HTTP Responses
Status Codes | Description |
---|---|
| The keys were successfully retrieved. |
| The namespace specified in the request does not exist. |
Remove a Secure Key
You can remove a secure key from secure storage by making an HTTP DELETE request to the URL:
...
Parameter | Description |
---|---|
| Namespace ID. |
| Name of the key to remove from secure storage. |
HTTP Responses
Status Codes | Description |
---|---|
| The key was successfully removed. |
| The namespace specified in the request does not exist or a secure key by the specified name does not exist in the specified namespace. |
...