Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Following are the core policies that the authorization module follows. Detailed policies for entities are listed in the table after that. For new entities and entities not listed here, these core policies should be followed.
  1. Create needs a WRITE on the parent
  2. Delete needs an ADMIN on the entity
  3. Delete all deletes all entities the user has privileges for and shows errors for the ones not deleted.
  4. List needs a READ on the parent. It lists all entities even if the user has no privilege on the entity, as long as they have read on the parent.
  5. Get needs a READ  on the entity
  6. Setting preferences needs WRITE on the entity
  7. Getting preferences needs READ on the entity
  8. Update needs ADMIN on the entity
  9. Adding metadata needs ADMIN on the entity
  10. Reading metadata needs READ on the entity

 

 

 

EntityOperationRequired PrivilegesResultant PrivilegesNotes
NamespacecreateWRITE (Instance)ALL (Namespace) 
 updateADMIN (Namespace)  
 listREAD (Instance) Listing will list all the namespaces, even if the current user does not have access too to it.
 getREAD (Namespace)  
 deleteADMIN (Namespace)  
 set preferenceWRITE (Namespace)  
 get preferenceREAD (Namespace)  
 searchREAD/WRITE/ADMIN/ALL (Namespace)  
ArtifactaddWRITE (Namespace)ALL (Artifact) 
 deleteADMIN (Artifact)  
 getREAD (Artifact)  
 listREAD (Namespace)  
 write propertyADMIN (Artifact)  
 delete propertyADMIN (Artifact)  
 get propertyREAD (Artifact)  
 write metadataADMIN (Artifact)  
 read metadataREAD (Artifact)  
ApplicationdeployWRITE (Namespace)ALL (Application) 
 getREAD (Application)  
 listREAD (ApplicationNamespace)  
 updateADMIN (Application)  
 deleteADMIN (Application)  
 set preferenceWRITE (Application)  
 get preferenceREAD (Application)  
 add metadataADMIN (Application)  
 get metadataREAD (Application)  
Programsstart/stop/debugEXECUTE (Program)  
 set instancesADMIN (Program)  
 listREAD/WRITE/ADMIN/ALL (Application)  
 set runtime argsADMIN (Program)  
 get runtime argsREAD/WRITE/ADMIN/EXECUTE/ALL (Program)  
 get instancesREAD /WRITE/ADMIN/EXECUTE/ALL(Program)  
 set preferenceADMIN WRITE (Program)  
 get preferenceREAD (Program)  
 get statusREAD/WRITE/ADMIN/EXECUTE/ALL (Program)  
 get historyREAD/WRITE/ADMIN/EXECUTE/ALL (Program)  
 add metadataADMIN (Program)  
 get metadataREAD (Program)  
 emit logsWRITE (question) (ProgramNamespace)  
 view logsREAD (Program)  
 emit metricsWRITE (question) (ProgramNamespace)  
 view metricsREAD (Program)  
StreamscreateWRITE (Namespace)ALL (Stream) 
 update propertiesADMIN (Stream)  
 deleteADMIN (Stream)  
 truncateADMIN (Stream)  
 enqueue
asyncEnqueue
batch
WRITE (Stream)  
 getREAD/WRITE/ADMIN/ALL (Stream)  
 listREAD/WRITE/ADMIN/ALL (Namespace)  
 read eventsREAD (Stream)  
 set preferencesADMIN WRITE (Stream)  
 get preferencesREAD (Stream)  
 add metadataADMIN (Stream)  
 get metadataREAD (Stream)  
 view lineageREAD (Stream)  
 emit metricsWRITE (question) (StreamNamespace)  
 view metricsREAD (Stream)  
DatasetslistcreateREAD/WRITE/ADMIN/WRITE (Namespace)ALL (Dataset)  
 getREAD/WRITE/ADMIN/ALL (Dataset)  
 createlistWRITE READ (Namespace)ALL (Dataset)  
 updateADMIN (Dataset)  
 dropADMIN (Dataset)  
 truncateADMIN (Dataset)  
 upgradeADMIN (Dataset)  
 add metadataADMIN (Dataset)  
 get metadataREAD (Dataset)  
 view lineageREAD (Dataset)  
 emit metricsWRITE (question) (DatasetNamespace)  
 view metricsREAD (Dataset)