Operations that Require Multiple Privileges

Owned by Robin Rielley
Last updated: Nov 19, 2020
2 min read

Some operations will require multiple privileges. For example, deploying an application can create datasets during the application deployment. In this case, privileges are required for all the entities that will get created. Wildcard policies will be helpful to manage the privileges in these cases. Detailed authorization policies for some operations that require multiple privileges are listed below.

Typically, admins use namespace level privileges to manage authorization. Users granted access to a namespace will be granted all privileges to all entities in the namespace. In such a case the following granular policies for deploying an application and creating various entities are not required.

Deploy Application

The privileges required to deploy an application can vary based on various conditions, like whether the application has impersonation enabled, etc. In general, the user deploying the application (the requesting user) always needs ADMIN privilege on the application. In addition, the requesting user and the impersonating user may need additional privileges. The following table lists the privileges needed to deploy an application under various conditions.

Action

Privilege Required

Requesting User

Impersonating User

 

ADMIN on the application

 

Deploying the app with a jar

ADMIN on the artifact (use the jar name as the artifact id)

 

Deploying the app using an existing artifact

Any privilege of READ, WRITE, EXECUTE, or ADMIN on the artifact

 

No impersonation

Creating a dataset

ADMIN on the dataset

 

Creating a custom dataset during deployment

ADMIN on the new dataset module and type (use the full class name of the custom dataset as the module id and type id)

 

Creating a custom dataset using an existing custom dataset type

ADMIN on the existing dataset module and type

 

With impersonation

 

ADMIN on the kerberos principal of the impersonated user

 

Creating a dataset

 

ADMIN on the dataset

Creating a custom dataset during deployment

 

ADMIN on the new dataset module and type (use the full class name of the custom dataset as the module id and type id)

Creating a custom dataset using an existing custom dataset type

 

ADMIN on the existing dataset module and type

Execute Programs/Hydrator Pipelines

To execute a program or a pipeline, the requesting user will need EXECUTE privilege on it. If there is no impersonation, the program will run (the executing user) as the CDAP master user. If impersonation is involved, the program will run as the impersonated user.

Privileges required by the requesting user:

Condition

Privilege Required

Condition

Privilege Required

Execute a program

EXECUTE on the program

Execute a hydrator pipeline

EXECUTE on the pipeline (application) name—program:<namespace-id>.<pipeline-name>.*

Privileges required by the executing user:

Condition

Privilege Required

Condition

Privilege Required

READ from existing datasets

READ on the datasets

WRITE to existing datasets

WRITE on the datasets

Creating datasets

ADMIN on the datasets

Creating local datasets, READ/WRITE on local datasets

ADMIN, READ/WRITE on local dataset name—dataset:<namespace-id>.<local-dataset-id>*

Accessing external source/sink, i.e, accessing datasets outside CDAP (only for hydrator pipelines)

ADMIN, READ and WRITE on the external datasets. The name of the external dataset will be same as the reference name of the source/sink—dataset:<namespace-id>.<reference-name>

Enable Wrangler Service

To enable the Wrangler service, the following privileges are needed:

  • Requesting user: EXECUTE on entity program:<namespace-id>.dataprep.service.service

  • Without impersonation:

    • Requesting user: ADMIN on entities

      • dataset:<namespace-id>.workspace

      • dataset:<namespace-id>.dataprep

      • dataset:<namespace-id>.dataprepfs

      • dataset_type:<namespace-id>.*WorkspaceDataset

      • dataset_module:<namespace-id>.*WorkspaceDataset

    • CDAP master user: READ, WRITE on entities

      • dataset:<namespace-id>.workspace

      • dataset:<namespace-id>.dataprep

      • dataset:<namespace-id>.dataprepfs

  • With impersonation:

    • Impersonating user: ADMIN, READ and WRITE on entities

      • dataset:<namespace-id>.workspace

      • dataset:<namespace-id>.dataprep

      • dataset:<namespace-id>.dataprepfs

    • Impersonating user: ADMIN on entities

      • dataset_type:<namespace-id>.*WorkspaceDataset

      • dataset_module:<namespace-id>.*WorkspaceDataset

Created in 2020 by Google Inc.