Overview
This page documents various scenarios for security use cases supported in 3.5. The scenarios below apply to the following combinations of security:
- Authorization
- Authorization + Namespace Mapping
- Authorization + Impersonation
- Authorization + Impersonation + Namespace mapping
Program Runtime
Access datasets, streams and secure keys
During program runtimes, users can access datasets, streams and secure keys through program APIs (MapReduce/Spark/Flows) or through Dataset APIs (getDataset)
Administer datasets, streams and secure keys
During program runtimes, users can administer datasets, streams and secure keys via the Admin APIs
Update system metadata
During program runtimes, CDAP performs various system operations for:
- Recording Audit
- Recording Lineage
- Recording Usage
- Recording Run Records
- Namespace Lookup
- Authorization Enforcement
Explore
Access datasets and streams
Users can execute Hive SELECT (for BatchReadable datasets) and INSERT (for BatchWritable datasets queries via Explore to access data in datasets and streams.
Administer datasets and streams
Create operations on datasets and streams can create tables in Hive if explore is enabled. Similarly, delete can drop and truncate tables.
REST APIs
Publicly routed REST APIs in AppFabric Service
Application Deployment
CDAP Applications with non-existing dataset
- Client -> Router:
deployApp(artifact, appConfig)
- Router -> AppFabric:
deployApp(artifact, appConfig, SecurityRequestContext.userId)
- AppFabric -> AuthEnforcer:
!authorized(SecurityRequestContext(userId)) ? UnauthorizedException
- AppFabric -> AppFabric:
doAs(namespace, deploy(jar, config))
- AppFabric -> DatasetServiceClient:
createDataset()
- DatasetServiceClient -> DatasetService
: createDataset(ds, Header(CDAP-UserId=SecurityRequestContext.userId))
- DatasetService -> AuthEnforcer
: !authorized(SecurityRequestContext.userId) ? UnauthorizedException
- DatasetService -> Authorizer:
revoke(ds); grant(ds, SecurityRequestContext.userId, ALL)
- DatasetService -> DatasetOpExecutor:
success = doAs(namespace, createDataset(ds))
- DatasetService -> Authorizer:
!success ? revoke(ds)
- DatasetService -> AppFabric -> Router -> Client:
result
Namespace Creation
Namespace Deletion
Publicly routed REST APIs in Dataset Service
Publicly routed REST APIs in Stream Service
Scratch Pad
a) Authorization
b) Auth + NS
c) Auth + Impersonation
d) Auth + Impersonation +NS
Application deploy -> Create DS and Streams
2. Program Run -> Creating DS and Streams
3. program Run -> Access DS and Streams
4. Explore -> Access Dataset (Explore can insert to DS) INSERT on SELECT
5. REST APIS -> Create DS and Streams
6. REST APIS -> Access DS and Streams
7. Program -> Access System DS for System metadata recording
Replace Create with Create, Delete and Truncate. All of the admin ops should be accounted
8. Create namespace
9. Delete namespace