Authorization policies
Following are the core policies that the authorization module follows. Detailed policies for entities are listed in the table after that. For new entities and entities not listed here, these core policies should be followed.
- Create needs a WRITE on the parent
- Delete needs an ADMIN on the entity
- Delete all deletes all entities the user has privileges for and shows errors for the ones not deleted.
- List needs a READ/WRITE/ADMIN on the entity.
- Get needs a READ on the entity and READ on the parent.
- Setting preferences needs WRITE on the entity
- Getting preferences needs READ on the entity
- Update needs ADMIN on the entity
- Adding metadata needs ADMIN on the entity
- Reading metadata needs READ on the entity
| Entity | Operation | Required Privileges | Resultant Privileges | Notes |
|---|---|---|---|---|
| Namespace | create | WRITE (Instance) | ALL (Namespace) | |
| update | ADMIN (Namespace) | |||
| list | READ/WRITE/ADMIN (Namespace) | Listing will list all the namespaces, even if the current user does not have access to it. | ||
| get | READ (Namespace) | |||
| delete | ADMIN (Namespace) | |||
| set preference | WRITE (Namespace) | |||
| get preference | READ (Namespace) | |||
| search | READ (Namespace) | |||
| Artifact | add | WRITE (Namespace) | ALL (Artifact) | |
| delete | ADMIN (Artifact) | |||
| get | READ (Artifact) | |||
| list | READ/WRITE/ADMIN (Artifact) | |||
| write property | ADMIN (Artifact) | |||
| delete property | ADMIN (Artifact) | |||
| get property | READ (Artifact) | |||
| write metadata | ADMIN (Artifact) | |||
| read metadata | READ (Artifact) | |||
| Application | deploy | WRITE (Namespace) READ(Artifact if deployed from an artifact) | ALL (Application) | |
| get | READ (Application) | |||
| list | READ/WRITE/ADMIN (Application) | |||
| update | ADMIN (Application) | |||
| delete | ADMIN (Application) | |||
| set preference | WRITE (Application) | |||
| get preference | READ (Application) | |||
| add metadata | ADMIN (Application) | |||
| get metadata | READ (Application) | |||
| Programs | start/stop/debug | EXECUTE (Program) READ (Namespace) | ||
| set instances | ADMIN (Program) | |||
| list | READ/WRITE/ADMIN (Program) | |||
| set runtime args | ADMIN (Program) | |||
| get runtime args | READ (Program) | |||
| get instances | READ (Program) | |||
| set preference | WRITE (Program) | |||
| get preference | READ (Program) | |||
| get status | READ (Program) | |||
| get history | READ (Program) | |||
| add metadata | ADMIN (Program) | |||
| get metadata | READ (Program) | |||
| emit logs | WRITE  (Namespace) | |||
| view logs | READ (Program) | |||
| emit metrics | WRITE (Namespace) | |||
| view metrics | READ (Program) | |||
| Streams | create | WRITE (Namespace) | ALL (Stream) | |
| update properties | ADMIN (Stream) | |||
| delete | ADMIN (Stream) | |||
| truncate | ADMIN (Stream) | |||
| enqueue asyncEnqueue batch | WRITE (Stream) READ (Namespace) | |||
| get | READ (Stream) READ (Namespace) | |||
| list | READ/WRITE/ADMIN (Streams) | |||
| read events | READ (Stream) READ (Namespace) | |||
| set preferences | WRITE (Stream) | |||
| get preferences | READ (Stream) | |||
| add metadata | ADMIN (Stream) | |||
| get metadata | READ (Stream) | |||
| view lineage | READ (Stream) | |||
| emit metrics | WRITE (Namespace) | |||
| view metrics | READ (Stream) | |||
| Datasets | create | WRITE (Namespace) | ALL (Dataset) | |
| get | READ (Dataset) READ(Namespace) | |||
| list | READ/WRITE/ADMIN (Datasets) | |||
| update | ADMIN (Dataset) READ(Namespace) | |||
| drop | ADMIN (Dataset) | |||
| truncate | ADMIN (Dataset) | |||
| upgrade | ADMIN (Dataset) | |||
| add metadata | ADMIN (Dataset) | |||
| get metadata | READ (Dataset) | |||
| view lineage | READ (Dataset) | |||
| emit metrics | WRITE (Namespace) | |||
| view metrics | READ (Dataset) |
Created in 2020 by Google Inc.