Authorization policies
Following are the core policies that the authorization module follows. Detailed policies for entities are listed in the table after that. For new entities and entities not listed here, these core policies should be followed.
Create needs a WRITE on the parent
Delete needs an ADMIN on the entity
Delete all deletes all entities the user has privileges for and shows errors for the ones not deleted.
List needs a READ/WRITE/ADMIN on the entity.
Get needs a READ on the entity and READ on the parent.
Setting preferences needs WRITE on the entity
Getting preferences needs READ on the entity
Update needs ADMIN on the entity
Adding metadata needs ADMIN on the entity
Reading metadata needs READ on the entity
Entity | Operation | Required Privileges | Resultant Privileges | Notes |
|---|---|---|---|---|
Namespace | create | WRITE (Instance) | ALL (Namespace) |
|
| update | ADMIN (Namespace) |
|
|
| list | READ/WRITE/ADMIN (Namespace) |
| Listing will list all the namespaces, even if the current user does not have access to it. |
| get | READ (Namespace) |
|
|
| delete | ADMIN (Namespace) |
|
|
| set preference | WRITE (Namespace) |
|
|
| get preference | READ (Namespace) |
|
|
| search | READ (Namespace) |
|
|
Artifact | add | WRITE (Namespace) | ALL (Artifact) |
|
| delete | ADMIN (Artifact) |
|
|
| get | READ (Artifact) |
|
|
| list | READ/WRITE/ADMIN (Artifact) |
|
|
| write property | ADMIN (Artifact) |
|
|
| delete property | ADMIN (Artifact) |
|
|
| get property | READ (Artifact) |
|
|
| write metadata | ADMIN (Artifact) |
|
|
| read metadata | READ (Artifact) |
|
|
Application | deploy | WRITE (Namespace) READ(Artifact if deployed from an artifact) | ALL (Application) |
|
| get | READ (Application) |
|
|
| list | READ/WRITE/ADMIN (Application) |
|
|
| update | ADMIN (Application) |
|
|
| delete | ADMIN (Application) |
|
|
| set preference | WRITE (Application) |
|
|
| get preference | READ (Application) |
|
|
| add metadata | ADMIN (Application) |
|
|
| get metadata | READ (Application) |
|
|
Programs | start/stop/debug | EXECUTE (Program) READ (Namespace) |
|
|
| set instances | ADMIN (Program) |
|
|
| list | READ/WRITE/ADMIN (Program) |
|
|
| set runtime args | ADMIN (Program) |
|
|
| get runtime args | READ (Program) |
|
|
| get instances | READ (Program) |
|
|
| set preference | WRITE (Program) |
|
|
| get preference | READ (Program) |
|
|
| get status | READ (Program) |
|
|
| get history | READ (Program) |
|
|
| add metadata | ADMIN (Program) |
|
|
| get metadata | READ (Program) |
|
|
| emit logs | WRITE (Namespace) |
|
|
| view logs | READ (Program) |
|
|
| emit metrics | WRITE (Namespace) |
|
|
| view metrics | READ (Program) |
|
|
Streams | create | WRITE (Namespace) | ALL (Stream) |
|
| update properties | ADMIN (Stream) |
|
|
| delete | ADMIN (Stream) |
|
|
| truncate | ADMIN (Stream) |
|
|
| enqueue | WRITE (Stream) READ (Namespace) |
|
|
| get | READ (Stream) READ (Namespace) |
|
|
| list | READ/WRITE/ADMIN (Streams) |
|
|
| read events | READ (Stream) READ (Namespace) |
|
|
| set preferences | WRITE (Stream) |
|
|
| get preferences | READ (Stream) |
|
|
| add metadata | ADMIN (Stream) |
|
|
| get metadata | READ (Stream) |
|
|
| view lineage | READ (Stream) |
|
|
| emit metrics | WRITE (Namespace) |
|
|
| view metrics | READ (Stream) |
|