Sharing an artifact with a user or group

Learn about how to share an artifact with a user or a group.

important

If a job is shared with a user or a group, they can only view the job runs for that job, which are created after the job is shared. The runs for a job that were executed before the job was shared will not be accessible by the user or the group.
For each artifact, you can add up to 20 users and 20 groups for each access level. For example, a job can have up to 20 users and 20 groups with full access and 20 users and 20 groups with view only access for that job.
Job runs cannot be shared independently with any user or group. Any user or group with access to the job only can access the job runs associated with that job from the time that job is shared with that user or group.
A Cloudera Data Engineering session cannot be interacted by another VC User. Only a session owner who created the session can interact with it, but administrators or VC Users with whom the session is shared with full access level can manage or terminate it.
The owner of the job can never be changed even if you share the job with another user or group with full access. The user or group can edit the job but cannot change the owner.

Prerequisites

If you share a job or session with a user or a group, first, also share the associated resources and the repositories related to that job or session with them to ensure proper sharing and execution of the jobs and the sessions. If a job or session is shared with a user or a group, but the resources and repositories are not shared, the user or group cannot run the job or the session and any attempt to run the job or session will fail.
When you want to share an artifact or stop sharing an artifact, you must provide the Workload User Name of the user in the Cloudera Data Engineering CLI or Cloudera Data Engineering API. To check your workload user name, go to Cloudera Management Console > User Management > Users, find the user name, and then find the Workload User Name.

Sharing an artifact while creating an artifact

Cloudera Data Engineering UI
Cloudera Data Engineering CLI
Cloudera Data Engineering API

To share artifacts using Cloudera Data Engineering UI while creating them, see the following pages in Cloudera Data Engineering documentation:

Jobs - Creating jobs in Cloudera Data Engineering
Sessions - Creating Sessions in Cloudera Data Engineering

Run the following command to share an artifact with a user or group while creating an artifact:

./cde <***ARTIFACT_TYPE***> create -h
Usage:
  cde <***ARTIFACT_TYPE***> create [flags]

Flags:
      --acl-full-access-group stringArray      group with full access permission (can be repeated to add multiple groups)
      --acl-full-access-user stringArray       user with full access permission (can be repeated to add multiple users) (set '*' value for all VC Users)
      --acl-view-only-group stringArray        group with view only permission (can be repeated to add multiple groups)
      --acl-view-only-user stringArray         user with view only permission (can be repeated to add multiple users) (set '*' value for all VC Users)

The <***ARTIFACT_TYPE***> value can be a job, session, resource, repository, or credential. Only Artifact access management-specific flags are shown for clarity.

Examples

The following examples are for jobs. But the same flags apply to sessions, resources, repositories, or credentials.

# create a job and give access to all users
./cde job create --name job-1 --acl-full-access-user '*'

# create a job and give full access to only a specific group
./cde job create --name job-1 --acl-full-access-group 'qe_group'

# create a job with a complex combination of acl rules
./cde job create --name job-1 --acl-full-access-user cdpuser1 --acl-full-access-user cdpuser2 --acl-view-only-group 'qe-group' -acl-full-access-group 'dev-group'

Run the following JSON payload to provide full access for an artifact to a user while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "<***ARTIFACT_NAME***>",
"acls": {
	"full_access": {
		"users": [<users>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.
Run the following JSON payload to provide full access for an artifact to a group while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "<***ARTIFACT_TYPE***>",
"acls": {
	"full_access": {
		"groups": [<groups>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a user while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "<***ARTIFACT_NAME***>",
"acls": {
	"view_only": {
		"users": [<users>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a group while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "<***ARTIFACT_NAME***>",
"acls": {
	"view_only": {
		"groups": [<groups>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.

Examples

This examples show creating a job and giving access to all users.

# create a job and give access to all users
curl -X POST \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "job-1",
"spark": {
		"className": "org.apache.spark.examples.SparkPi",
	"file": "local:///opt/spark/examples/jars/spark-examples.jar"
},
"type": "spark",
"acls": {
		"full_access": {
    		"users": ["*"]
		}
}

}'

This example shows creating a job and giving full access to only a specific group.

# create a job and give full access to only a specific group
curl -X POST \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "job-1",
"spark": {
		"className": "org.apache.spark.examples.SparkPi",
	"file": "local:///opt/spark/examples/jars/spark-examples.jar"
},
"type": "spark",
"acls": {
		"full_access": {
    		"groups": ["cdpcp"]
		}
}

}'

This example shows creating a job with a complex combination of access sharing rules.

# create a job with a complex combination of access sharing rules
curl -X POST \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "job-1",
"spark": {
		"className": "org.apache.spark.examples.SparkPi",
	"file": "local:///opt/spark/examples/jars/spark-examples.jar"
},
"type": "spark",
"acls": {
		"full_access": {
			"users": ["cdpuser1"]
		},
		"view_only": {
			"users": ["cdpuser2"],
			"groups": ["cdpcp", "hivetest"]
}
}

}'

Updating artifact sharing after creating an artifact

Cloudera Data Engineering UI
Cloudera Data Engineering CLI
Cloudera Data Engineering API

To share jobs while updating them, perform the following steps:

In the Cloudera console, click the Data Engineering tile. The Cloudera Data Engineering Home page displays.
In the left navigation menu, click Jobs. The Jobs page is displayed.
Select the job that you want to share and click on the Sharing tab.
In the Sharing Settings section, click Add User or Group. The Add User or Group pop-up appears.
In the Search for a User or a Group field, type the user or group name and select the required user or group from the list.
Select Full or Read Only depending on the access you want to provide from the Access Level drop-down list.
Click Add.

To share repositories while updating them, perform the following steps:

In the Cloudera console, click the Data Engineering tile. The Cloudera Data Engineering Home page displays.
In the left navigation menu, click Repositories. The Repositories page is displayed.
Select the repository that you want to share and click on the Sharing tab.
In the Sharing Settings section, click Add User or Group. The Add User or Group popup appears.
In the Search for a User or a Group field, type the user or group name and select the required user or group from the list.
Select Full or Read Only depending on the access you want to provide from the Access Level drop-down list.
Click Add.

To share resources while updating them, perform the following steps:

In the Cloudera console, click the Data Engineering tile. The Cloudera Data Engineering Home page displays.
In the left navigation menu, click Resources. The Resources page is displayed.
Select the resource that you want to share and click on the Sharing tab.
In the Sharing Settings section, click Add User or Group. The Add User or Group popup appears.
In the Search for a User or a Group field, type the user or group name and select the required user or group from the list.
Select Full or Read Only depending on the access you want to provide from the Access Level drop-down list.
Click Add.

Run the following command to share an artifact with a user or group after creating an artifact:

./cde <***ARTIFACT_TYPE***> update -h
Usage:
  cde <***ARTIFACT_TYPE***> update [flags]

Flags:
      --add-acl-full-access-group stringArray      add group with full access permission (can be repeated to add multiple groups)
      --add-acl-full-access-user stringArray       add user with full access permission (can be repeated to add multiple users) (set '*' value for all VC Users)
      --add-acl-view-only-group stringArray        add group with view only permission (can be repeated to add multiple groups)
      --add-acl-view-only-user stringArray         add user with view only permission (can be repeated to add multiple users) (set '*' value for all VC Users)

The <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential. Only Artifact access management specific flags are shown for clarity.

Examples

The following examples are for jobs. But the same flags apply to jobs, resources, repositories, or credentials.

# Add * to give access to everybody
./cde job update --name job-1 --add-acl-full-access-user '*' --vcluster-endpoint https://7jn5szdr.cde-tz8dl6vr.apps.host-1.dex-ecs.kcloud.cloudera.com/dex/api/v1 --user cdpuser4

# add cdpuser5 to view-only, cdpuser6 to full-access, remove wildcard from full-access 

./cde job update --name job-1 --add-acl-view-only-user 'cdpuser5' --add-acl-full-access-user 'cdpuser6' --remove-acl-full-access-user '*'

Run the following JSON payload to provide full access for an artifact to a user:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"full_access": {
		"users": [<users>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.
Run the following JSON payload to provide full access for an artifact to a group:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"full_access": {
		"groups": [<groups>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a user:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"view_only": {
		"users": [<users>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a group:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"view_only": {
		"groups": [<groups>]
	}
}

}'
```
The <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and the <***ARTIFACT_NAME***> value is the name of the artifact.

Examples

This example shows providing full access to all users.

# Add * to give access to everybody
curl -X PATCH \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs/job-1 \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
	"acls": {
    		"full_access": {
        		"users": ["*"]
    		}
}
}'

This example shows adding cdpuser1 to view-only access, cdpuser2 to full-access, and removing the wildcard from full-access replacing the existing artifact sharing.

# add cdpuser1 to view-only, cdpuser2 to full-access, and remove wildcard from full-access (replaces the existing artifact sharing)
curl -X PATCH \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs/job-1 \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
	"acls": {
    		"full_access": {
        		"users": ["cdpuser2"]
    		},
		"view_only": {
			"users": ["cdpuser1"]
		}
}
}'

This examples shows combining user and groups.

# combine user and groups
curl -X PATCH \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs/job-1 \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
	"acls": {
    		"full_access": {
        		"groups": ["hivetest"]
    		},
		"view_only": {
			"users": ["cdpuser1"]
		}
}
}'