...
*matches zero or more characters?matches a single character
The following sections provide examples on granting wildcard privileges.
Sentry Integration
CDAP CLI can be used to grant or revoke the privileges for Integrations: Apache Sentry. For a complete list of commands, see Security Commands.
Sentry only allows granting privileges to roles. Roles can then be assigned to groups.
To create a new role, use:
Code Block > create role <role-name>To grant/revoke privileges on an entity to a role, use:
Code Block > grant actions <actions> on entity <entity> to role <role-name> > revoke actions <actions> on entity <entity> from role <role-name>where:
<actions>is a comma-separated list of privileges, any of READ, WRITE, EXECUTE, or ADMIN.<entity>is of the form<entity-type>:<entity-id>
...
Entity Type
...
Entity Id
...
namespace
...
<namespace>:<namespace-id>
...
application
...
<namespace-id>.<app-id>
...
program
...
<namespace-id>.<app-id>.<program-type>.<program-id>
...
dataset
...
<namespace-id>.<dataset-id>
...
artifact
...
<namespace-id>.<artifact-id>
...
dataset_type
...
<namespace-id>.<dataset-type-id>
...
dataset_module
...
<namespace-id>.<dataset-module-id>
...
securekey
...
<namespace-id>.<secure-key-id>
...
kerberosprincipal
...
<kerberos-principal-id>
program-typeis one of:mapreduce,service,spark,worker, orworkflow.Wildcards can be used in the entity name to grant privileges on multiple entities. For example,
namespace:ns*represents all the namespaces that start withns.namespace:ns?represents all the namespaces that start withnsand followed by a single character.program:ns1.app1.*represents all the programs in the applicationapp1, in the namespacens1.
To add the role to a group, use:
Code Block > add role <role-name> to group <group-name>To check the results, list the privileges for a principal:
Code Block > list privileges for <principal-type> <principal-name>where
<principal-type>can beuser,grouporrole.
Example
To give alice (who belongs to group admin), ADMIN privilege on namespace ns1, and all the entities in the namespace, do the following:
create a new role
ns1_administratorgrant the role
ns1_administratorADMIN on these entities:namespace:ns1application:ns1.*program:ns1.*.*artifact:ns1.*dataset:ns1.*dataset_type:ns1.*dataset_module:ns1.*securekey:ns1.*
add role
ns1_administratorto groupadmin
Note:
Only users in Sentry admin group can grant/revoke the privileges. Groups can be added to or removed from the Sentry admin group by updating the property
sentry.service.admin.groupin the Sentry configuration.CDAP fetches roles/privileges from Sentry to enforce the authorization policy. Since only users in Sentry admin group can fetch roles from Sentry, CDAP will need to be added as a Sentry admin. CDAP can be configured to use a different group to fetch roles by changing
security.authorization.extension.config.sentry.admin.groupin CDAP configuration.CDAP caches privileges fetched from Sentry to improve performance. Any update to the privileges will be reflected in CDAP after the cache timeout. By default, the cache timeout is 10 minutes. This value can be changed by modifying the value of
security.authorization.cache.ttl.secsin CDAP configuration.
Ranger Integration
CDAP Policies can be managed for Integrations: Apache Ranger just like other Ranger service policies. For more information, see the Ranger documentation on Policy management.
CDAP Ranger Plugin allows to grant policies on mid-level entities in CDAP entity hierarchy by specifying * for lower level and marking them as exclude. For example, the below screenshot shows the policy on namespace:default. Notice that the value for application and program are * and they are marked as exclude.
...