A goal is to support authentication and authorization seamlessly between the Kylo applications and the Hadoop cluster.
Why Two Levels of Access Control?¶
Kylo support two levels acces control because not all installations require the fine-grained control of entity-level authorization. Service-level authorization is generally easier to manage if your security requirements are not very selective or stringent. If you only need the ability to restrict some Kylo actions to certain select groups of users then service-level might be sufficient.
If your installation deals with sensitive information, and you need to be very selective of what data certain users and groups can see and manipulate, then you should use entity-level authorization to provide tight controls over that data.
Having two security schemes can pose management challenges as there is a bit of an overlap between the service-level and entity-level permissions, and both levels of access control must be satisfied for a user’s action to be successful. If you choose to use entity-level control then it may be helpful to loosen up the service-level access a bit more where the entity and service permissions are redundant. To help determine what permissions are needed to perform common Kylo activities, the next section describes both kinds of access requirements depending upon what actions are attempted in Kylo.
Roles and Permissions Required for Common Activities¶
To help understand and manage permissions required by users when using Kylo, the following tables show:
- Common actions in Kylo
- The default entity-level roles that permit those actions
- Additional service-level permissions reqired to perform those actions
Action Roles Permitted Service-level Permissions View template and its summary Editor, Admin, Read-Only Access Templates Edit template and its details Editor, Admin Edit Templates Delete template Editor, Admin Edit Templates Export template Editor, Admin Export Templates Grant permissions on template to users/groups Admin Edit Templates Import template (new) N/A Import Templates Import template (existing) Editor, Admin Import Templates, Edit Templates Enable template N/A Admin Templates Disable template N/A Admin Templates
Action Roles Permitted Service-level Permissions View category and its summary Editor, Admin, Feed Creator, Read-Only Access Categories Edit category summary Editor, Admin Edit Categories View category and its details Editor, Admin, Feed Creator Access Categories Edit category details Editor, Admin Edit Categories Edit set user fields Editor, Admin Admin Categories Delete category Editor, Admin Edit Categories Create feeds under category Feed Creator Edit Categories Grant permissions on category to users/groups Admin Edit Categories
Action Roles Permitted Service-level Permissions View feed and its details Editor, Admin, Read-Only Access Feeds Edit feed summary Editor, Admin Edit Feeds Edit feed details Editor, Admin Edit Feeds Edit feed user fields Editor, Admin Admin Feeds Delete feed Editor, Admin Admin Feeds Enable feed Editor, Admin Edit Feeds Disable feed Editor, Admin Edit Feeds Export feed Editor, Admin Export Feeds Import feed (new) N/A Import Feeds Import feed (existing) Editor, Admin Import Feeds View operational history of feed Editor, Admin, Read-Only Access Feeds Grant permissions on feed to users/groups Admin Edit Feeds
Data Source Actions¶
Action Roles Permitted Service-level Permissions View data source summary and use in data transformations Editor, Admin, Read-Only Access Data Sources Edit data source summary Editor, Admin Edit Data Sources View data source and its details Editor, Admin Access Data Sources View data source details, including sensitive information Editor, Admin Admin Data Sources Edit data source details Editor, Admin Edit Data Sources Delete data source Editor, Admin Edit Data Sources Grant permissions on data source to users/groups Admin Edit Data Sources