Some operations will require multiple privileges. For example, deploying an application can create streams and datasets during the application deployment. In this case, privileges are required for all the entities that will get created. Wildcard policies will be helpful to manage the privileges in these cases. Detailed authorization policies for some operations that require multiple privileges are listed below.
...
Action | Privilege Required | ||||
---|---|---|---|---|---|
Requesting User | Impersonating User | ||||
| ADMIN on the application |
| |||
Deploying the app with a jar | ADMIN on the artifact (use the jar name as the artifact id) |
| |||
Deploying the app using an existing artifact | Any privilege of READ, WRITE, EXECUTE, or ADMIN on the artifact |
| |||
No impersonation | |||||
Creating a dataset | ADMIN on the dataset |
| Creating a stream | ADMIN on the stream |
|
Creating a custom dataset during deployment | ADMIN on the new dataset module and type (use the full class name of the custom dataset as the module id and type id) |
| |||
Creating a custom dataset using an existing custom dataset type | ADMIN on the existing dataset module and type |
| |||
With impersonation | |||||
| ADMIN on the kerberos principal of the impersonated user |
| |||
Creating a dataset |
| ADMIN on the dataset | Creating a stream |
| ADMIN on the stream |
Creating a custom dataset during deployment |
| ADMIN on the new dataset module and type (use the full class name of the custom dataset as the module id and type id) | |||
Creating a custom dataset using an existing custom dataset type |
| ADMIN on the existing dataset module and type |
...
Condition | Privilege Required |
---|---|
READ from existing streams and datasets | READ on the streams and datasets |
WRITE to existing streams and datasets | WRITE on the streams and datasets |
Creating datasets | ADMIN on the datasets |
Creating local datasets, READ/WRITE on local datasets | ADMIN, READ/WRITE on local dataset name— |
Accessing external source/sink, i.e, accessing datasets outside CDAP (only for hydrator pipelines) | ADMIN, READ and WRITE on the external datasets. The name of the external dataset will be same as the reference name of the source/sink— |
...