Cloudera Enterprise 6.0.x | Other versions

Authorization Privilege Model for Cloudera Search

  Important: In CDH 6, the privilege model for Cloudera Search (which is built on Apache Solr) is changed. After upgrading to CDH 6, migrate to the new model using the Sentry privilege migration script.

Sentry privileges for Cloudera Search are constructed as follows:

<objectType>=<specificObject>->action=<action>

For example, the following privilege grants write access (UPDATE) to the tweets collection:

collection=tweets->action=UPDATE

Using Sentry with Cloudera Search, you can control access the following privilege object types:

  • admin
  • collection
  • config
  • schema

The admin object type controls access to administrative actions through the following privilege objects:

  • collections - Controls access to the Collections API
  • cores - Controls access to the CoreAdmin API
  • security - Controls access to Solr security configurations (the security.json file in ZooKeeper)
  • metrics - Controls access to the Metrics API
  • autoscaling - Controls access to the Autoscaling API

Privilege objects can be granted the following privileges:

  • QUERY: Read access
  • UPDATE: Write access (including delete)
  • *: Read and write access

If no privileges are granted, no access is possible. For example, accessing the Solr Admin UI requires the QUERY privilege. If no users are granted the QUERY privilege, no access to the Solr Admin UI is possible.

Non-administrative requests may only require privileges on the specific collection or config on which the request is being performed.

Administrative requests may require privileges for both the specific admin object and the collection. This is denoted as admin=<adminObject>, collection=<collectionName> in the tables below.

Table 1. Privilege Table for Collections API Administrative Actions
Required Privileges Collections API Action
admin=collections->action=UPDATE
collection=<aliasName>->action=UPDATE
  Note: <aliasName> here refers to the name of the alias, not the underlying collections.
CREATEALIAS
DELETEALIAS
admin=collections->action=UPDATE
collection=<collectionName>->action=UPDATE
CREATE
DELETE
MODIFYCOLLECTION
RELOAD
CREATESHARD
DELETESHARD
SPLITSHARD
SYNCSHARD
CREATESNAPSHOT
DELETESNAPSHOT
RESTORE
ADDREPLICA
DELETEREPLICA
MOVEREPLICA
ADDREPLICAPROP
DELETEREPLICAPROP
MIGRATESTATEFORMAT
FORCELEADER
REBALANCELEADERS
BALANCESHARDUNIQUE
MIGRATE (Destination Collection)
admin=collections->action=UPDATE
ADDROLE
REMOVEROLE
CLUSTERPROP
DELETESTATUS
DELETENODE
REPLACENODE
admin=collections->action=QUERY
collection=<collectionName>->action=QUERY
LISTSNAPSHOTS
BACKUP
MIGRATE (Source Collection)
admin=collections->action=QUERY
LIST
LISTALIASES
REQUESTSTATUS
OVERSEERSTATUS
CLUSTERSTATUS
Table 2. Privilege Table for CoreAdmin API Administrative Actions
Required Privileges CoreAdmin API Action
admin=cores->action=UPDATE
collection=<coreName>->action=UPDATE
CREATE
RENAME
UNLOAD
RELOAD
SWAP
MERGEINDEXES
SPLIT
PREPRECOVERY
REQUESTRECOVERY
REQUESTSYNCSHARD
REQUESTAPPLYUPDATES
REQUESTBUFFERUPDATES
REQUESTAPPLYUPDATES
REQUESTSYNCSHARD
REJOINLEADERELECTION
PREPRECOVERY
FORCEPREPAREFORLEADERSHIP
CREATESNAPSHOT
DELETESNAPSHOT
RESTORECORE
admin=cores->action=QUERY
collection=<coreName>->action=QUERY
LISTSNAPSHOTS
STATUS
BACKUPCORE
Table 3. Privilege table for Config API actions
Required Privileges Config API Action
config=<configName>->action=*
CREATE
DELETE
Page generated July 25, 2018.