Cloudera Enterprise 6.0.x | Other versions
Authorization Privilege Model for Cloudera Search
Important: In CDH 6, the privilege model for Cloudera Search (which is built on Apache
Solr) is changed. After upgrading to CDH 6, migrate to the new model using the Sentry privilege migration
script.Sentry privileges for Cloudera Search are constructed as follows:
<objectType>=<specificObject>->action=<action>
For example, the following privilege grants write access (UPDATE) to the tweets collection:
collection=tweets->action=UPDATE
Using Sentry with Cloudera Search, you can control access the following privilege object types:
- admin
- collection
- config
- schema
The admin object type controls access to administrative actions through the following privilege objects:
- collections - Controls access to the Collections API
- cores - Controls access to the CoreAdmin API
- security - Controls access to Solr security configurations (the security.json file in ZooKeeper)
- metrics - Controls access to the Metrics API
- autoscaling - Controls access to the Autoscaling API
Privilege objects can be granted the following privileges:
- QUERY: Read access
- UPDATE: Write access (including delete)
- *: Read and write access
If no privileges are granted, no access is possible. For example, accessing the Solr Admin UI requires the QUERY privilege. If no users are granted the QUERY privilege, no access to the Solr Admin UI is possible.
Non-administrative requests may only require privileges on the specific collection or config on which the request is being performed.
Administrative requests may require privileges for both the specific admin object and the collection. This is denoted as admin=<adminObject>, collection=<collectionName> in the tables below.
| Required Privileges | Collections API Action |
|---|---|
admin=collections->action=UPDATE collection=<aliasName>->action=UPDATE  Note: <aliasName> here refers to the name of the alias, not
the underlying collections. |
CREATEALIAS |
| DELETEALIAS | |
admin=collections->action=UPDATE collection=<collectionName>->action=UPDATE |
CREATE |
| DELETE | |
| MODIFYCOLLECTION | |
| RELOAD | |
| CREATESHARD | |
| DELETESHARD | |
| SPLITSHARD | |
| SYNCSHARD | |
| CREATESNAPSHOT | |
| DELETESNAPSHOT | |
| RESTORE | |
| ADDREPLICA | |
| DELETEREPLICA | |
| MOVEREPLICA | |
| ADDREPLICAPROP | |
| DELETEREPLICAPROP | |
| MIGRATESTATEFORMAT | |
| FORCELEADER | |
| REBALANCELEADERS | |
| BALANCESHARDUNIQUE | |
| MIGRATE (Destination Collection) | |
admin=collections->action=UPDATE |
ADDROLE |
| REMOVEROLE | |
| CLUSTERPROP | |
| DELETESTATUS | |
| DELETENODE | |
| REPLACENODE | |
admin=collections->action=QUERY collection=<collectionName>->action=QUERY |
LISTSNAPSHOTS |
| BACKUP | |
| MIGRATE (Source Collection) | |
admin=collections->action=QUERY |
LIST |
| LISTALIASES | |
| REQUESTSTATUS | |
| OVERSEERSTATUS | |
| CLUSTERSTATUS |
| Required Privileges | CoreAdmin API Action |
|---|---|
admin=cores->action=UPDATE collection=<coreName>->action=UPDATE |
CREATE |
| RENAME | |
| UNLOAD | |
| RELOAD | |
| SWAP | |
| MERGEINDEXES | |
| SPLIT | |
| PREPRECOVERY | |
| REQUESTRECOVERY | |
| REQUESTSYNCSHARD | |
| REQUESTAPPLYUPDATES | |
| REQUESTBUFFERUPDATES | |
| REQUESTAPPLYUPDATES | |
| REQUESTSYNCSHARD | |
| REJOINLEADERELECTION | |
| PREPRECOVERY | |
| FORCEPREPAREFORLEADERSHIP | |
| CREATESNAPSHOT | |
| DELETESNAPSHOT | |
| RESTORECORE | |
admin=cores->action=QUERY collection=<coreName>->action=QUERY |
LISTSNAPSHOTS |
| STATUS | |
| BACKUPCORE |
| Required Privileges | Config API Action |
|---|---|
config=<configName>->action=* |
CREATE |
| DELETE |
| << Authorization Privilege Model for Hive and Impala | ©2016 Cloudera, Inc. All rights reserved | Hive SQL Syntax for Use with Sentry >> |
| Terms and Conditions Privacy Policy |