The minimum permissions for Cloudera DataFlow (CDF) on Azure govern access control
between Azure resources, the Azure storage account, and CDF. The minimum permissions that allow
for enabling/disabling CDF and deploying/undeploying flows can be set using a custom
role.
-
Create a custom role that contains the minimum permissions.
The following role definition outlines the minimum permissions required to create a
custom role for CDF. The permissions are listed in the Actions section, so that
CDF can access resources and operate correctly.
When using the role defintiion, replace the following values:
- [YOUR-SUBSCRIPTION-ID]: Your subscription ID in
use.
- [YOUR-RESTRICTED-ROLE-NAME]: The custom role name which
is assigned to the application. For example: Cloudera Dataflow Azure Operator
for Single Resource Group
- [YOUR-RESOURCE-GROUP-NAME]: The original resource group
name.
{
"properties": {
"roleName": [YOUR-RESTRICTED-ROLE-NAME],
"description": "Can use Dataflow managed clusters and resources updated for single resource group.",
"isCustom": true,
"assignableScopes": [
"/subscriptions/[YOUR-SUBSCRIPTION-ID]/resourceGroups/[YOUR-RESOURCE-GROUP-NAME]"
],
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
"Microsoft.ContainerService/managedClusters/delete",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
-
Assign the custom role to the app registration that you earlier created on the Azure
Portal. For instructions, see Create an app registration and assign a role to
it.
