...
- Ideally, D-Rock would like to be able to authorize all operations on all entities in CDAP.
- However, this can be rolled out in phases. In the initial phase, he would like to control who can:
- Create/update/delete a namespace
- Only users with
- WRITE permission on CDAP instance should be able to perform this operation.
- We will add a property in cdap-site.xml for comma separated list of users who have admin permission on cdap instance. These admins can then later grant permissions to other users.
- Deploy an application in a namespace
- Only users with
- WRITE permission on the namespace
- should be able to perform this operation
- One the application is deployed the the user who deployed becomes the owner
- Start/stop a program
- Only users with READ permission on the namespace and application, and
- EXECUTE permission on the program should be able to perform this operation
- Only users with ADMIN permission on the program can set preference for the program
- Only users with WRITE permission can provide runtime args
- Read/write to a stream
Only users with READ privilege on the namespace and READ permission on the stream should be able to read from the stream
Only users with READ privilege on the namespace and WRITE permission on the stream should be able to write to the stream
- Create/update/delete a namespace
...