Currently, CDAP allows users to enforce authorization for READ, WRITE, EXECUTE, and ADMIN operations.
In general, this summarizes the authorization policies in CDAP:
A create operation on an entity requires ADMIN on the entity. The ADMIN privilege needs to be granted before the entity can be created. For example, creating a namespace requires ADMIN on the namespace.
A read operation (such as reading from a dataset) on an entity requires READ on the entity.
A write operation (such as writing to a dataset) on an entity requires WRITE on the entity.
An admin operation (such as setting properties) on an entity requires ADMIN on the entity.
A delete operation on an entity requires ADMIN on the entity. Note that if the deletion operation will delete multiple entities, ADMIN is required on all the entities. For example, delete on a namespace requires ADMIN on all entities in the namespace, and the namespace itself.
An execute operation on a program requires EXECUTE on the program.
A list or view operation (such as listing or searching applications, datasets, or artifacts) only returns those entities that the logged-in user has at least one (READ, WRITE, EXECUTE, ADMIN) privilege on or on any of its descendants.
A get operation on an entity (such as getting the dataset property, or app detail) only succeeds if the user has at least one (READ, WRITE, EXECUTE, ADMIN) privilege on it or any of its descendants.
Only admins of the authorization backend can grant or revoke the privileges.
Additionally:
Upon successful creation/deletion of an entity, the privileges remain unaffected. It is the responsibility of the administrator to delete privileges from the authorization backend on entity deletion. If the privileges are not deleted and the entity is recreated, the old privileges will be retained for the new entity.
CDAP does not support hierarchical authorization enforcement, which means that privileges on each entity are evaluated independently.
Authorization policies for various CDAP operations are listed in the following tables. Policies for more complex operations can be checked here.
Operation | Privileges Required |
|---|---|
Create | ADMIN |
Update | ADMIN |
Delete | ADMIN on the namespace, and ADMIN on all entities in the namespace. Note that lack of the privileges may result in an inconsistent state for the namespace. Some entities may get cleaned up while entities with insufficient privileges will remain. |
List/View | Only returns those namespaces which user has at least one of READ, WRITE, EXECUTE, or ADMIN on the namespace or on any of its descendants. |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN on the namespace or any of its descendants. |
Operation | Privileges Required |
|---|---|
Add | ADMIN |
Add a property | ADMIN |
Remove a property | ADMIN |
Delete | ADMIN |
List/View | Only returns those artifacts on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN. |
Operation | Privileges Required |
|---|---|
Add | ADMIN (on the application) and ADMIN (if adding new artifacts) or any privileges(if using existing artifacts) on the artifact. |
Delete | ADMIN |
List/View | Only returns those applications that user has at least one of READ, WRITE, EXECUTE, or ADMIN on the application or on any of its descendants. |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN on the application or any of its descendants. |
Operation | Privileges Required |
|---|---|
Start, Stop, or Debug | EXECUTE |
Set instances | ADMIN |
Set runtime arguments | ADMIN |
Retrieve runtime arguments | At least one of READ, EXECUTE or ADMIN. |
Retrieve status | At least one of READ, WRITE, EXECUTE, or ADMIN. |
List/View | Only returns those programs on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN. |
Resume/Suspend schedule | EXECUTE on the program. |
Add/Delete/Update schedule | ADMIN on the application. |
Operation | Privileges Required |
|---|---|
Create | ADMIN on the dataset and, for custom datasets, at least one of READ, WRITE, EXECUTE, or ADMIN on the dataset type. |
Read | READ |
Write | WRITE |
Update | ADMIN |
Upgrade | ADMIN |
Truncate | ADMIN |
Drop | ADMIN |
List/View | Only returns those datasets on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN. |
Operation | Privileges Required |
|---|---|
Deploy | ADMIN |
Delete | ADMIN |
Delete-all in the namespace | ADMIN on all dataset modules in the namespace. |
List/View | Only returns those dataset modules on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN. |
Operation | Privileges Required |
|---|---|
List/View | Only returns those dataset types on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. |
Get | At least one of READ, WRITE, EXECUTE, or ADMIN. |
Operation | Privileges Required |
|---|---|
Create | ADMIN |
READ the secure data | READ |
Delete | ADMIN |
List/View | Only returns those secure keys on which user has at least one of READ, WRITE, EXECUTE, or ADMIN. |
Operation | Privileges Required |
|---|---|
Deploy an app to impersonate a kerberos principal | ADMIN on the principal. |
Create a namespace with owner principal | ADMIN on the principal. |
Create a dataset with owner principal | ADMIN on the principal. |