Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • create operation on an entity requires ADMIN on the entity. The ADMIN privilege needs to be granted before the entity can be created. For example, creating a namespace requires ADMIN on the namespace.

  • read operation (such as reading from a dataset or a stream) on an entity requires READ on the entity.

  • write operation (such as writing to a dataset or a stream) on an entity requires WRITE on the entity.

  • An admin operation (such as setting properties) on an entity requires ADMIN on the entity.

  • delete operation on an entity requires ADMIN on the entity. Note that if the deletion operation will delete multiple entities, ADMIN is required on all the entities. For example, delete on a namespace requires ADMIN on all entities in the namespace, and the namespace itself.

  • An execute operation on a program requires EXECUTE on the program.

  • list or view operation (such as listing or searching applications, datasets, streams, or artifacts) only returns those entities that the logged-in user has at least one (READWRITEEXECUTEADMIN) privilege on or on any of its descendants.

  • get operation on an entity (such as getting the dataset property, or app detail) only succeeds if the user has at least one (READWRITEEXECUTEADMIN) privilege on it or any of its descendants.

  • Only admins of the authorization backend can grant or revoke the privileges.

...

Operation

Privileges Required

Create

ADMIN

READ the secure data

READ

Delete

ADMIN

List/View

Operation

Privileges Required

Create

ADMIN

Retrieving events

READ

Sending events to a stream (sync, async, or batch)

WRITE

Drop

Only returns those secure keys on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Streams

ADMIN

Drop-all in the namespace

ADMIN on all streams in the namespace.

Update

ADMIN

Truncate

ADMIN

List/View

Only returns those streams on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN.

Kerberos Principal

Operation

Privileges Required

Deploy an app to impersonate a kerberos principal

ADMIN on the principal.

Create a namespace with owner principal

ADMIN on the principal.

Create a dataset with owner principal

ADMIN on the principal.

Create a stream with owner principal