Authorization policies

Following are the core policies that the authorization module follows. Detailed policies for entities are listed in the table after that. For new entities and entities not listed here, these core policies should be followed.
  1. Create needs a WRITE on the parent
  2. Delete needs an ADMIN on the entity
  3. Delete all deletes all entities the user has privileges for and shows errors for the ones not deleted.
  4. List needs a READ/WRITE/ADMIN on the entity.
  5. Get needs a READ  on the entity and READ on the parent.
  6. Setting preferences needs WRITE on the entity
  7. Getting preferences needs READ on the entity
  8. Update needs ADMIN on the entity
  9. Adding metadata needs ADMIN on the entity
  10. Reading metadata needs READ on the entity

 

 

 

EntityOperationRequired PrivilegesResultant PrivilegesNotes
NamespacecreateWRITE (Instance)ALL (Namespace) 
 updateADMIN (Namespace)  
 listREAD/WRITE/ADMIN (Namespace) Listing will list all the namespaces, even if the current user does not have access to it.
 getREAD (Namespace)  
 deleteADMIN (Namespace)  
 set preferenceWRITE (Namespace)  
 get preferenceREAD (Namespace)  
 searchREAD (Namespace)  
ArtifactaddWRITE (Namespace)ALL (Artifact) 
 deleteADMIN (Artifact)  
 getREAD (Artifact)  
 listREAD/WRITE/ADMIN (Artifact)  
 write propertyADMIN (Artifact)  
 delete propertyADMIN (Artifact)  
 get propertyREAD (Artifact)  
 write metadataADMIN (Artifact)  
 read metadataREAD (Artifact)  
Applicationdeploy

WRITE (Namespace)

READ(Artifact if deployed from an artifact)

ALL (Application) 
 getREAD (Application)  
 listREAD/WRITE/ADMIN (Application)  
 updateADMIN (Application)  
 deleteADMIN (Application)  
 set preferenceWRITE (Application)  
 get preferenceREAD (Application)  
 add metadataADMIN (Application)  
 get metadataREAD (Application)  
Programsstart/stop/debug

EXECUTE (Program)

READ (Namespace)

  
 set instancesADMIN (Program)  
 listREAD/WRITE/ADMIN (Program)  
 set runtime argsADMIN (Program)  
 get runtime argsREAD (Program)  
 get instancesREAD (Program)  
 set preferenceWRITE (Program)  
 get preferenceREAD (Program)  
 get statusREAD (Program)  
 get historyREAD (Program)  
 add metadataADMIN (Program)  
 get metadataREAD (Program)  
 emit logsWRITE (question) (Namespace)  
 view logsREAD (Program)  
 emit metricsWRITE (question) (Namespace)  
 view metricsREAD (Program)  
StreamscreateWRITE (Namespace)ALL (Stream) 
 update propertiesADMIN (Stream)  
 deleteADMIN (Stream)  
 truncateADMIN (Stream)  
 enqueue
asyncEnqueue
batch

WRITE (Stream)

READ (Namespace)

  
 get

READ (Stream)

READ (Namespace)

  
 listREAD/WRITE/ADMIN (Streams)  
 read events

READ (Stream)

READ (Namespace)

  
 set preferencesWRITE (Stream)  
 get preferencesREAD (Stream)  
 add metadataADMIN (Stream)  
 get metadataREAD (Stream)  
 view lineageREAD (Stream)  
 emit metricsWRITE (question) (Namespace)  
 view metricsREAD (Stream)  
DatasetscreateWRITE (Namespace)ALL (Dataset) 
 get

READ (Dataset)

READ(Namespace)

  
 listREAD/WRITE/ADMIN (Datasets)  
 update

ADMIN (Dataset)

READ(Namespace)

  
 dropADMIN (Dataset)  
 truncateADMIN (Dataset)  
 upgradeADMIN (Dataset)  
 add metadataADMIN (Dataset)  
 get metadataREAD (Dataset)  
 view lineageREAD (Dataset)  
 emit metricsWRITE (question) (Namespace)  
 view metricsREAD (Dataset) Â