Authorization Policies

Owned by Robin Rielley
Last updated: Nov 19, 2020
3 min read

Currently, CDAP allows users to enforce authorization for READ, WRITE, EXECUTE, and ADMIN operations.

In general, this summarizes the authorization policies in CDAP:

  • A create operation on an entity requires ADMIN on the entity. The ADMIN privilege needs to be granted before the entity can be created. For example, creating a namespace requires ADMIN on the namespace.

  • A read operation (such as reading from a dataset) on an entity requires READ on the entity.

  • A write operation (such as writing to a dataset) on an entity requires WRITE on the entity.

  • An admin operation (such as setting properties) on an entity requires ADMIN on the entity.

  • A delete operation on an entity requires ADMIN on the entity. Note that if the deletion operation will delete multiple entities, ADMIN is required on all the entities. For example, delete on a namespace requires ADMIN on all entities in the namespace, and the namespace itself.

  • An execute operation on a program requires EXECUTE on the program.

  • A list or view operation (such as listing or searching applications, datasets, or artifacts) only returns those entities that the logged-in user has at least one (READ, WRITE, EXECUTE, ADMIN) privilege on or on any of its descendants.

  • A get operation on an entity (such as getting the dataset property, or app detail) only succeeds if the user has at least one (READ, WRITE, EXECUTE, ADMIN) privilege on it or any of its descendants.

  • Only admins of the authorization backend can grant or revoke the privileges.

Additionally:

  • Upon successful creation/deletion of an entity, the privileges remain unaffected. It is the responsibility of the administrator to delete privileges from the authorization backend on entity deletion. If the privileges are not deleted and the entity is recreated, the old privileges will be retained for the new entity.

  • CDAP does not support hierarchical authorization enforcement, which means that privileges on each entity are evaluated independently.

Authorization policies for various CDAP operations are listed in the following tables. Policies for more complex operations can be checked here.

Namespaces

Operation

Privileges Required

Operation

Privileges Required

Create

ADMIN

Update

ADMIN

Delete

ADMIN on the namespace, and ADMIN on all entities in the namespace. Note that lack of the privileges may result in an inconsistent state for the namespace. Some entities may get cleaned up while entities with insufficient privileges will remain.

List/View

Only returns those namespaces which user has at least one of READ, WRITE, EXECUTE, or ADMIN on the namespace or on any of its descendants.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN on the namespace or any of its descendants.

Artifacts

Operation

Privileges Required

Operation

Privileges Required

Add

ADMIN

Add a property

ADMIN

Remove a property

ADMIN

Delete

ADMIN

List/View

Only returns those artifacts on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN.

Applications

Operation

Privileges Required

Operation

Privileges Required

Add

ADMIN (on the application) and ADMIN (if adding new artifacts) or any privileges(if using existing artifacts) on the artifact.

Delete

ADMIN

List/View

Only returns those applications that user has at least one of READ, WRITE, EXECUTE, or ADMIN on the application or on any of its descendants.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN on the application or any of its descendants.

Programs

Operation

Privileges Required

Operation

Privileges Required

Start, Stop, or Debug

EXECUTE

Set instances

ADMIN

Set runtime arguments

ADMIN

Retrieve runtime arguments

At least one of READ, EXECUTE or ADMIN.

Retrieve status

At least one of READ, WRITE, EXECUTE, or ADMIN.

List/View

Only returns those programs on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN.

Resume/Suspend schedule

EXECUTE on the program.

Add/Delete/Update schedule

ADMIN on the application.

Datasets

Operation

Privileges Required

Operation

Privileges Required

Create

ADMIN on the dataset and, for custom datasets, at least one of READ, WRITE, EXECUTE, or ADMIN on the dataset type.

Read

READ

Write

WRITE

Update

ADMIN

Upgrade

ADMIN

Truncate

ADMIN

Drop

ADMIN

List/View

Only returns those datasets on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN.

Dataset Modules

Operation

Privileges Required

Operation

Privileges Required

Deploy

ADMIN

Delete

ADMIN

Delete-all in the namespace

ADMIN on all dataset modules in the namespace.

List/View

Only returns those dataset modules on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN.

Dataset Types

Operation

Privileges Required

Operation

Privileges Required

List/View

Only returns those dataset types on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Get

At least one of READ, WRITE, EXECUTE, or ADMIN.

Secure Keys

Operation

Privileges Required

Operation

Privileges Required

Create

ADMIN

READ the secure data

READ

Delete

ADMIN

List/View

Only returns those secure keys on which user has at least one of READ, WRITE, EXECUTE, or ADMIN.

Kerberos Principal

Operation

Privileges Required

Operation

Privileges Required

Deploy an app to impersonate a kerberos principal

ADMIN on the principal.

Create a namespace with owner principal

ADMIN on the principal.

Create a dataset with owner principal

ADMIN on the principal.



Created in 2020 by Google Inc.