Operations that Require Multiple Privileges
Some operations will require multiple privileges. For example, deploying an application can create datasets during the application deployment. In this case, privileges are required for all the entities that will get created. Wildcard policies will be helpful to manage the privileges in these cases. Detailed authorization policies for some operations that require multiple privileges are listed below.
Typically, admins use namespace level privileges to manage authorization. Users granted access to a namespace will be granted all privileges to all entities in the namespace. In such a case the following granular policies for deploying an application and creating various entities are not required.
Deploy Application
The privileges required to deploy an application can vary based on various conditions, like whether the application has impersonation enabled, etc. In general, the user deploying the application (the requesting user) always needs ADMIN privilege on the application. In addition, the requesting user and the impersonating user may need additional privileges. The following table lists the privileges needed to deploy an application under various conditions.
Action | Privilege Required | |
|---|---|---|
Requesting User | Impersonating User | |
| ADMIN on the application |
|
Deploying the app with a jar | ADMIN on the artifact (use the jar name as the artifact id) |
|
Deploying the app using an existing artifact | Any privilege of READ, WRITE, EXECUTE, or ADMIN on the artifact |
|
No impersonation | ||
Creating a dataset | ADMIN on the dataset |
|
Creating a custom dataset during deployment | ADMIN on the new dataset module and type (use the full class name of the custom dataset as the module id and type id) |
|
Creating a custom dataset using an existing custom dataset type | ADMIN on the existing dataset module and type |
|
With impersonation | ||
| ADMIN on the kerberos principal of the impersonated user |
|
Creating a dataset |
| ADMIN on the dataset |
Creating a custom dataset during deployment |
| ADMIN on the new dataset module and type (use the full class name of the custom dataset as the module id and type id) |
Creating a custom dataset using an existing custom dataset type |
| ADMIN on the existing dataset module and type |
Execute Programs/Hydrator Pipelines
To execute a program or a pipeline, the requesting user will need EXECUTE privilege on it. If there is no impersonation, the program will run (the executing user) as the CDAP master user. If impersonation is involved, the program will run as the impersonated user.
Privileges required by the requesting user:
Condition | Privilege Required |
|---|---|
Execute a program | EXECUTE on the program |
Execute a hydrator pipeline | EXECUTE on the pipeline (application) name— |
Privileges required by the executing user:
Condition | Privilege Required |
|---|---|
READ from existing datasets | READ on the datasets |
WRITE to existing datasets | WRITE on the datasets |
Creating datasets | ADMIN on the datasets |
Creating local datasets, READ/WRITE on local datasets | ADMIN, READ/WRITE on local dataset name— |
Accessing external source/sink, i.e, accessing datasets outside CDAP (only for hydrator pipelines) | ADMIN, READ and WRITE on the external datasets. The name of the external dataset will be same as the reference name of the source/sink— |
Enable Wrangler Service
To enable the Wrangler service, the following privileges are needed:
Requesting user: EXECUTE on entity
program:<namespace-id>.dataprep.service.serviceWithout impersonation:
Requesting user: ADMIN on entities
dataset:<namespace-id>.workspacedataset:<namespace-id>.dataprepdataset:<namespace-id>.dataprepfsdataset_type:<namespace-id>.*WorkspaceDatasetdataset_module:<namespace-id>.*WorkspaceDataset
CDAP master user: READ, WRITE on entities
dataset:<namespace-id>.workspacedataset:<namespace-id>.dataprepdataset:<namespace-id>.dataprepfs
With impersonation:
Impersonating user: ADMIN, READ and WRITE on entities
dataset:<namespace-id>.workspacedataset:<namespace-id>.dataprepdataset:<namespace-id>.dataprepfs
Impersonating user: ADMIN on entities
dataset_type:<namespace-id>.*WorkspaceDatasetdataset_module:<namespace-id>.*WorkspaceDataset
Created in 2020 by Google Inc.