Versions Compared

Old Version 62

changes.mady.by.user Bhooshan Mogal

Saved on

compared with

New Version 63

changes.mady.by.user Bhooshan Mogal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Ideally, D-Rock would like to be able to authorize all operations on all entities in CDAP. 
  • However, this can be rolled out in phases. In the initial phase, he would like to control who can:
    • Create/update/delete a namespace
      • Only users with WRITE permission on CDAP instance should be able to perform this operation.
      • A property in cdap-site.xml should decide a set of users who have admin permission on cdap instance. These admins can then later grant permissions to other users.
    • Deploy an application in a namespace
      • Only users with WRITE permission on the namespace should be able to perform this operation
      • One the application is deployed the the user who deployed becomes the ADMIN of the application. 
    • Start/stop a program
      • Only users with READ permission on the namespace and application, and EXECUTE permission on the program should be able to perform this operation
      • Only users with ADMIN permission on the program can set preference for the program
      • Only users with WRITE permission can provide runtime args
    • Read/write to a stream
      • Only users with READ privilege on the namespace and READ permission on the stream should be able to read from the stream
      • Only users with READ privilege on the namespace and WRITE permission on the stream should be able to write to the stream

Entities, Operations and

...

Privileges

EntityOperationRequired PrivilegesResultant Privileges
NamespacecreateADMIN (Instance)ADMIN (Namespace)
 updateADMIN (Namespace) 
 listREAD (Instance) 
 getREAD (Namespace) 
 deleteADMIN (Namespace) 
 set preferenceWRITE (Namespace) 
 get preferenceREAD (Namespace) 
 searchREAD (Namespace) 
ArtifactaddWRITE (Namespace)ADMIN (Artifact)
 deleteADMIN (Artifact) 
 getREAD (Artifact) 
 listREAD (Namespace) 
 write propertyADMIN (Artifact) 
 delete propertyADMIN (Artifact) 
 get propertyREAD (Artifact) 
 refreshWRITE (Instance) 
 write metadataADMIN (Artifact) 
 read metadataREAD (Artifact) 
ApplicationdeployWRITE (Namespace)ADMIN (Application)
 getREAD (Application) 
 listREAD (Namespace) 
 updateADMIN (Application) 
 deleteADMIN (Application) 
 set preferenceWRITE (Application) 
 get preferenceREAD (Application) 
 add metadataADMIN (Application) 
 get metadataREAD (Application) 
Programsstart/stop/debugEXECUTE (Program) 
 set instancesADMIN (Program) 
 listREAD (Namespace) 
 set runtime argsEXECUTE (Program) 
 get runtime argsREAD (Program) 
 get instancesREAD (Program) 
 set preferenceADMIN (Program) 
 get preferenceREAD (Program) 
 get statusREAD (Program) 
 get historyREAD (Program) 
 add metadataADMIN (Program) 
 get metadataREAD (Program) 
 emit logsWRITE (question) (Program) 
 view logsREAD (Program) 
 emit metricsWRITE (question) (Program) 
 view metricsREAD (Program) 
StreamscreateWRITE (Namespace)ADMIN (Stream)
 update propertiesADMIN (Stream) 
 deleteADMIN (Stream) 
 truncateADMIN (Stream) 
 enqueue
asyncEnqueue
batch		WRITE (Stream) 
 getREAD (Stream) 
 listREAD (Namespace) 
 read eventsREAD (Stream) 
 set preferencesADMIN (Stream) 
 get preferencesREAD (Stream) 
 add metadataADMIN (Stream) 
 get metadataREAD (Stream) 
 view lineageREAD (Stream) 
 emit metricsWRITE (question) (Stream) 
 view metricsREAD (Stream) 
DatasetslistREAD (Namespace) 
 getREAD (Dataset) 
 createWRITE (Namespace)ADMIN (Dataset)
 updateADMIN (Dataset) 
 dropADMIN (Dataset) 
 executeAdmin (exists/truncate/upgrade)ADMIN (Dataset) 
 add metadataADMIN (Dataset) 
 get metadataREAD (Dataset) 
 view lineageREAD (Dataset) 
 emit metricsWRITE (question) (Dataset) 
 view metricsREAD (Dataset) 
Stream ViewcreateWRITE (Namespace) & ADMIN (Stream)ADMIN (Stream View)
 deleteADMIN (Stream View) 
 listREAD (Namespace) & READ (Stream) 
 getREAD (Stream View) 
 add metadataADMIN (Stream View) 
 get metadataREAD (Stream View) 

...