...
A create operation on an entity requires ADMIN on the entity. The ADMIN privilege needs to be granted before the entity can be created. For example, creating a namespace requires ADMIN on the namespace.
A read operation (such as reading from a dataset or a stream) on an entity requires READ on the entity.
A write operation (such as writing to a dataset or a stream) on an entity requires WRITE on the entity.
An admin operation (such as setting properties) on an entity requires ADMIN on the entity.
A delete operation on an entity requires ADMIN on the entity. Note that if the deletion operation will delete multiple entities, ADMIN is required on all the entities. For example, delete on a namespace requires ADMIN on all entities in the namespace, and the namespace itself.
An execute operation on a program requires EXECUTE on the program.
A list or view operation (such as listing or searching applications, datasets, streams, or artifacts) only returns those entities that the logged-in user has at least one (READ, WRITE, EXECUTE, ADMIN) privilege on or on any of its descendants.
A get operation on an entity (such as getting the dataset property, or app detail) only succeeds if the user has at least one (READ, WRITE, EXECUTE, ADMIN) privilege on it or any of its descendants.
Only admins of the authorization backend can grant or revoke the privileges.
...
Operation | Privileges Required |
---|---|
Create | ADMIN |
READ the secure data | READ |
Delete | ADMIN |
List/View | |
Operation | Privileges Required |
Create | ADMIN |
Retrieving events | READ |
Sending events to a stream (sync, async, or batch) | WRITE |
Drop | Only returns those secure keys on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. |
Streams
ADMIN | Drop-all in the namespace | ADMIN on all streams in the namespace. |
Update | ADMIN | |
Truncate | ADMIN | |
List/View | Only returns those streams on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. | |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN. |
Kerberos Principal
Operation | Privileges Required | ||
---|---|---|---|
Deploy an app to impersonate a kerberos principal | ADMIN on the principal. | ||
Create a namespace with owner principal | ADMIN on the principal. | ||
Create a dataset with owner principal | ADMIN on the principal. | Create a stream with owner principal |
|