Namespaces
Operation | Privileges Required (Existing) | Privileges Required (Proposed) | Integration test name |
|---|---|---|---|
| Create | ADMIN (on the CDAP instance) | ADMIN | BasicAuthorizationTestBase.testNamespcePrivileges |
| Update | ADMIN (on the namespace) | ||
| Delete | ADMIN (on the namespace) | ADMIN on the namespace, and all entities in the namespace | BasicAuthorizationTestBase.testNamespcePrivileges |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | Any privilege on the namespace or any of its descendants. | BasicAuthorizationTestBase.testCreatedDeletedPrivileges |
| Get Namespace Meta | Any privilege on the namespace or any of its descendants. |
Artifacts
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| Add | WRITE (on the namespace) | ADMIN |
| Add a property | ADMIN (on namespace) | ADMIN (on artifact) | ADMIN |
| Remove a property | ADMIN (on namespace) | ADMIN (on artifact) | ADMIN |
| Use to deploy an app | ADMIN | READ | |
| Delete | ADMIN (on namespace) | ADMIN (on artifact) | ADMIN |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on artifact) | Any privilege on the artifact |
| Get artifact info/summary/detail | ADMIN | READ |
Applications
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| Add | WRITE (on the namespace) and READ (on the artifact if deployed from an artifact) | ADMIN *Also see artifact privileges and principal privileges |
| Delete | ADMIN (on the application) | ADMIN (on the namespace) | ADMIN |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN (on namespace) | Any of READ, WRITE, EXECUTE, or ADMIN (on application) | Any privilege on the application or any of its descendants. |
| Get application detail | ADMIN | READ |
Programs
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| Start, Stop, or Debug | (EXECUTE (on the program) | EXECUTE (on the application) | EXECUTE (on the namespace)) & READ (on the namespace) | EXECUTE |
| Set instances | ADMIN (on the namespace) | ADMIN (on the application) | ADMIN (on the program) | ADMIN |
| Set runtime arguments | ADMIN (on the namespace) | ADMIN (on the application) | ADMIN (on the program) | ADMIN |
| Retrieve runtime arguments | READ (on the namespace) | READ (on the application) | READ (on the program) | READ | EXECUTE | ADMIN |
| Retrieve status | Any of READ, WRITE, EXECUTE, or ADMIN | |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | |
| Get program specification | ADMIN | READ |
Datasets
Operation | Privileges Required (Existing) | Privileges Required (Proposed) | Integration Test Name |
|---|---|---|---|
| Create | WRITE (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Read | (READ (on the dataset) and READ (namespace)) | READ (on the namespace) | READ | |
| Retrieving properties | Not Documented | Any of READ, WRITE, ADMIN, or EXECUTE | |
| Write | WRITE (on the dataset) | WRITE (on the namespace) | WRITE | |
| Update | (ADMIN (on the dataset) and READ (on the namespace)) | (ADMIN (on the namespace) and READ (on the namespace)) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Upgrade | ADMIN (on the dataset) | ADMIN (on the namespace) | ADMIN | |
| Truncate | ADMIN (on the dataset) | ADMIN (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Drop | ADMIN (on the dataset) | ADMIN (on the namespace) | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges | |
| Get dataset meta | ADMIN | READ | WRITE | BasicAuthorizationTestBase.testDatasetPrivileges |
Dataset Modules
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| Deploy | WRITE (on the namespace) | ADMIN |
| Delete | ADMIN (on the dataset module) | ADMIN (on the namespace) | ADMIN |
| Delete-all in the namespace | ADMIN (on the namespace) | ADMIN on all dataset modules in the namespace |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | |
| Get module meta | ADMIN | READ |
Dataset Types
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | |
| Get dataset type meta | ADMIN | READ |
Secure Keys
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| Create | WRITE (on the namespace) | ADMIN |
| Delete | ADMIN (on the key) | ADMIN (on the namespace) | ADMIN |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | |
| Read | Not Documented | READ (on the key) |
Streams
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| Create | WRITE (on the namespace) | ADMIN |
| Retrieving events | READ (on the stream) & READ (on the namespace) | READ |
| Retrieving properties | Any of READ, WRITE, ADMIN, or EXECUTE | |
| Sending events to a stream (sync, async, or batch) | (WRITE (on the stream) and READ (on the namespace)) | WRITE (on namespace & READ (on the namespace)) | WRITE |
| Drop | ADMIN (on stream) | ADMIN (on namespace) | ADMIN |
| Drop-all in the namespace | ADMIN (on the namespace) | ADMIN (on the stream) | ADMIN on all the streams in the namespace |
| Update | ADMIN (on the namespace) | ADMIN (on the stream) | ADMIN |
| Truncate | ADMIN (on the namespace) | ADMIN (on the stream) | ADMIN |
| View/List | Any of READ, WRITE, EXECUTE, or ADMIN | |
| Get stream property | ADMIN | READ |
Principal
Operation | Privileges Required (Existing) | Privileges Required (Proposed) |
|---|---|---|
| Deploy an app to impersonate a principal | ADMIN | |
| Create a namespace with owner prinicpal | ADMIN | |
| Create a dataset with owner prinicpal | ADMIN | |
| Create a stream with owner prinicpal | ADMIN | |
| Run a explore query as impersonated prinicpal | EXECUTE |