Sharing an artifact with a user or group

Learn about how to share an artifact with a user or a group.

important

If a job is shared with a user or a group, they can only view the job runs for that job which are created after the job is shared. The runs for a job which were executed before the job was shared will not be accessible by the user or the group.
For each artifact, you can add up to 20 users and 20 groups for each access level. For example, a job can have up to 20 users and 20 groups with full access and 20 users and 20 groups with view only access for that job.
Job runs cannot be shared independently with any user or group. Any user or group with access to the job only can access the job runs associated with that job from the time that job is shared with that user or group.
A Cloudera Data Engineering session cannot be interacted by another VC User. Only a session owner who created it can interact with a session, but admins or VC Users with whom it is shared with full access level can manage or kill it.

Prerequisites:

If you share a job or session with a user or a group, first, make sure that you also share the associated resources and the repositories related to that job or session with them to ensure proper sharing and execution of the jobs and the sessions. If a job or session is shared with a user or a group, but the resources and repositories are not shared, the user or group cannot run the job or the session and any attempt to run the job or session will fail.
When you want to share an artifact or stop sharing an artifact, you must provide the Workload User Name of the user in the Cloudera Data Engineering CLI or Cloudera Data Engineering API. To check your workload user name, select Cloudera Management Console > User Management > Users, find the user name, and then find the Workload User Name.

Sharing an artifact while creating an artifact

Cloudera Data Engineering CLI
Cloudera Data Engineering API

Run the following command to share an artifact with a user or group while creating an artifact:

./cde <***ARTIFACT_TYPE***> create -h
Usage:
  cde <***ARTIFACT_TYPE***> create [flags]

Flags:
      --acl-full-access-group stringArray      group with full access permission (can be repeated to add multiple groups)
      --acl-full-access-user stringArray       user with full access permission (can be repeated to add multiple users) (set '*' value for all VC Users)
      --acl-view-only-group stringArray        group with view only permission (can be repeated to add multiple groups)
      --acl-view-only-user stringArray         user with view only permission (can be repeated to add multiple users) (set '*' value for all VC Users)

Where, the <***ARTIFACT_TYPE***> value can be a job, session, resource, repository, or credential. Only Artifact access management specific flags are shown for clarity.

Examples: The following examples are for jobs. But the same flags apply to sessions, resources, repositories, or credentials.

# create a job and give access to all users
./cde job create --name job-1 --acl-full-access-user '*'

# create a job and give full access to only a specific group
./cde job create --name job-1 --acl-full-access-group 'qe_group'

# create a job with a complex combination of acl rules
./cde job create --name job-1 --acl-full-access-user cdpuser1 --acl-full-access-user cdpuser2 --acl-view-only-group 'qe-group' -acl-full-access-group 'dev-group'

Run the following JSON payload to provide full access for an artifact to a user while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "<***ARTIFACT_NAME***>",
"acls": {
	"full_access": {
		"users": [<users>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.
Run the following JSON payload to provide full access for an artifact to a group while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "<***ARTIFACT_TYPE***>",
"acls": {
	"full_access": {
		"groups": [<groups>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a user while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "<***ARTIFACT_NAME***>",
"acls": {
	"view_only": {
		"users": [<users>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a group while creating the artifact:
```
curl -X POST \
<jobs_api_url>/<***ARTIFACT_TYPE***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "<***ARTIFACT_NAME***>",
"acls": {
	"view_only": {
		"groups": [<groups>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.

Exmaples:

Create a job and give access to all users:

# create a job and give access to all users
curl -X POST \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "job-1",
"spark": {
		"className": "org.apache.spark.examples.SparkPi",
	"file": "local:///opt/spark/examples/jars/spark-examples.jar"
},
"type": "spark",
"acls": {
		"full_access": {
    		"users": ["*"]
		}
}

}'

Create a job and give full access to only a specific group:

# create a job and give full access to only a specific group
curl -X POST \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "job-1",
"spark": {
		"className": "org.apache.spark.examples.SparkPi",
	"file": "local:///opt/spark/examples/jars/spark-examples.jar"
},
"type": "spark",
"acls": {
		"full_access": {
    		"groups": ["cdpcp"]
		}
}

}'

Create a job with a complex combination of access sharing rules:

# create a job with a complex combination of access sharing rules
curl -X POST \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d'{
"name": "job-1",
"spark": {
		"className": "org.apache.spark.examples.SparkPi",
	"file": "local:///opt/spark/examples/jars/spark-examples.jar"
},
"type": "spark",
"acls": {
		"full_access": {
			"users": ["cdpuser1"]
		},
		"view_only": {
			"users": ["cdpuser2"],
			"groups": ["cdpcp", "hivetest"]
}
}

}'

Updating artifact sharing after creating an artifact

Cloudera Data Engineering CLI
Cloudera Data Engineering API

Run the following command to share an artifact with a user or group after creating an artifact:

./cde <***ARTIFACT_TYPE***> update -h
Usage:
  cde <***ARTIFACT_TYPE***> update [flags]

Flags:
      --add-acl-full-access-group stringArray      add group with full access permission (can be repeated to add multiple groups)
      --add-acl-full-access-user stringArray       add user with full access permission (can be repeated to add multiple users) (set '*' value for all VC Users)
      --add-acl-view-only-group stringArray        add group with view only permission (can be repeated to add multiple groups)
      --add-acl-view-only-user stringArray         add user with view only permission (can be repeated to add multiple users) (set '*' value for all VC Users)

Where, <***ARTIFACT_TYPE***> value can be job, resource, repository, or credential. Only Artifact access management specific flags are shown for clarity.

Examples: The following examples are for jobs. But the same flags apply to jobs, resources, repositories, or credentials.

# Add * to give access to everybody
./cde job update --name job-1 --add-acl-full-access-user '*' --vcluster-endpoint https://7jn5szdr.cde-tz8dl6vr.apps.host-1.dex-ecs.kcloud.cloudera.com/dex/api/v1 --user cdpuser4

# add cdpuser5 to view-only, cdpuser6 to full-access, remove wildcard from full-access 

./cde job update --name job-1 --add-acl-view-only-user 'cdpuser5' --add-acl-full-access-user 'cdpuser6' --remove-acl-full-access-user '*'

Run the following JSON payload to provide full access for an artifact to a user:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"full_access": {
		"users": [<users>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.
Run the following JSON payload to provide full access for an artifact to a group:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"full_access": {
		"groups": [<groups>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a user:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"view_only": {
		"users": [<users>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.
Run the following JSON payload to provide view-only access for an artifact to a group:
```
curl -X PATCH \
<jobs_api_url>/<***ARTIFACT_TYPE***>/<***ARTIFACT_NAME***> \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"acls": {
	"view_only": {
		"groups": [<groups>]
	}
}

}'
```
Where, <***ARTIFACT_TYPE***> value can be jobs, resource, repository, or credential and <***ARTIFACT_NAME***> is the name of the artifact.

Exmaples:

To provide full access to all users:

# Add * to give access to everybody
curl -X PATCH \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs/job-1 \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
	"acls": {
    		"full_access": {
        		"users": ["*"]
    		}
}
}'

To add cdpuser1 to view-only, cdpuser2 to full-access, remove wildcard from full-access (replaces the existing artifact sharing):

# add cdpuser1 to view-only, cdpuser2 to full-access, and remove wildcard from full-access (replaces the existing artifact sharing)
curl -X PATCH \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs/job-1 \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
	"acls": {
    		"full_access": {
        		"users": ["cdpuser2"]
    		},
		"view_only": {
			"users": ["cdpuser1"]
		}
}
}'

To combine user and groups:

# combine user and groups
curl -X PATCH \
https://qnrjlcs6.cde-fllv7d7m.apps.apps.shared-rke-dev-01.kcloud.cloudera.com/dex/api/v1/jobs/job-1 \
-H "Authorization: Bearer ${CDE_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
	"acls": {
    		"full_access": {
        		"groups": ["hivetest"]
    		},
		"view_only": {
			"users": ["cdpuser1"]
		}
}
}'