Security Commands

The CLI includes the following security commands:

Command

Description

Command

Description

add role <role-name> to <principal-type> <principal-name>

Adds a role to a principal in authorization system for role-based access control

create role <role-name>

Creates a role in authorization system for role-based access control

drop role <role-name>

Drops a role from authorization system for role-based access control

grant actions <actions> on entity <entity> to <principal-type> <principal-name>

Grants a principal privileges to perform certain actions on an authorizable. <actions> is a comma-separated list of privileges, any of 'READ', 'WRITE', 'EXECUTE', or 'ADMIN'. <entity> is of the form <entity-type>:<entity-id>, where <entity-type> is one of 'namespace', 'artifact', 'application', 'dataset' or 'program'.

For namespaces, <entity-id> is composed from the namespace, such as 'namespace:<namespace-name>.

For artifacts and apps, <entity-id> is composed of the namespace, entity name, and version, such as <namespace-name>.<artifact-name>.<artifact-version> or <namespace-name>.<app-name>.<app-version>.

Note: Metadata for versioned entities is not versioned, including entities such as applications, programs, schedules, and program runs. Additions to metadata in one version are reflected in all versions.

For programs, <entity-id> includes the application name and the program type: <namespace-name>.<app-name>.<program-type>.<program-name>. <program-type> is one of mapreduce, service, spark, worker, or workflow.

For datasets, <entity-id> is the namespace and entity names, such as <namespace-name>.<dataset-name>.

Custom entities can be specified as hierarchical key-value pair with an optional type if the last key in hierarchy is not the type of the entity. For example a 'field' in dataset can be specified as: namespace=<namespace-name>,dataset=<dataset-name>,field=<field-name>. A 'jar' in a namespace can be specified as: namespace=<namespace-name>,jar=<jar-name>,version=<version-number>,type=jar.

list privileges for <principal-type> <principal-name>

Lists privileges for a principal

list roles [for <principal-type> <principal-name>]

Lists all roles, optionally for a particular principal in an authorization system for role-based access control

remove role <role-name> from <principal-type> <principal-name>

Removes a role from a principal in authorization system for role-based access control

revoke actions <actions> on entity <entity> from <principal-type> <principal-name>

Revokes a principal's privileges to perform certain actions on an entity. <actions> is a comma-separated list of privileges, any of 'READ', 'WRITE', 'EXECUTE', or 'ADMIN'. <entity> is of the form <entity-type>:<entity-id>, where <entity-type> is one of 'namespace', 'artifact', 'application', 'dataset' or 'program'.

For namespaces, <entity-id> is composed from the namespace, such as 'namespace:<namespace-name>.

For artifacts and apps, <entity-id> is composed of the namespace, entity name, and version, such as <namespace-name>.<artifact-name>.<artifact-version> or <namespace-name>.<app-name>.<app-version>.

Note: Metadata for versioned entities is not versioned, including entities such as applications, programs, schedules, and program runs. Additions to metadata in one version are reflected in all versions.

For programs, <entity-id> includes the application name and the program type: <namespace-name>.<app-name>.<program-type>.<program-name>. <program-type> is one of mapreduce, service, spark, worker, or workflow.

For datasets, <entity-id> is the namespace and entity names, such as <namespace-name>.<dataset-name>.

Custom entities can be specified as hierarchical key-value pair with an optional type if the last key in hierarchy is not the type of the entity. For example a 'field' in dataset can be specified as: namespace=<namespace-name>,dataset=<dataset-name>,field=<field-name>. A 'jar' in a namespace can be specified as: namespace=<namespace-name>,jar=<jar-name>,version=<version-number>,type=jar.

revoke all on entity <entity>

Revokes all privileges for all users on the entity. <entity> is of the form <entity-type>:<entity-id>, where <entity-type> is one of 'namespace', 'artifact', 'application', 'dataset' or 'program'.

For namespaces, <entity-id> is composed from the namespace, such as 'namespace:<namespace-name>.

For artifacts and apps, <entity-id> is composed of the namespace, entity name, and version, such as <namespace-name>.<artifact-name>.<artifact-version> or <namespace-name>.<app-name>.<app-version>.

Note: Metadata for versioned entities is not versioned, including entities such as applications, programs, schedules, and program runs. Additions to metadata in one version are reflected in all versions.

For programs, <entity-id> includes the application name and the program type: <namespace-name>.<app-name>.<program-type>.<program-name>. <program-type> is one of mapreduce, service, spark, worker, or workflow.

For datasets, <entity-id> is the namespace and entity names, such as <namespace-name>.<dataset-name>.

Custom entities can be specified as hierarchical key-value pair with an optional type if the last key in hierarchy is not the type of the entity. For example a 'field' in dataset can be specified as: namespace=<namespace-name>,dataset=<dataset-name>,field=<field-name>. A 'jar' in a namespace can be specified as: namespace=<namespace-name>,jar=<jar-name>,version=<version-number>,type=jar.

Created in 2020 by Google Inc.