Cloudera Docs

Setting up minimum permissions

The minimum permissions for Cloudera DataFlow (CDF) on Azure govern access control between Azure resources, the Azure storage account, and CDF. The minimum permissions that allow for enabling/disabling CDF and deploying/undeploying flows can be set using a custom role.

  1. Create a custom role that contains the minimum permissions.

    The following role definition outlines the minimum permissions required to create a custom role for CDF. The permissions are listed in the Actions section, so that CDF can access resources and operate correctly.

    When using the role defintiion, replace the following values:

    • [YOUR-SUBSCRIPTION-ID]: Your subscription ID in use.
    • [YOUR-RESTRICTED-ROLE-NAME]: The custom role name which is assigned to the application. For example: Cloudera Dataflow Azure Operator for Single Resource Group
    • [YOUR-RESOURCE-GROUP-NAME]: The original resource group name.
    {
   "properties": {
       "roleName": [YOUR-RESTRICTED-ROLE-NAME],
       "description": "Custom restricted role for liftie",
       "isCustom": true,
       "assignableScopes": [
           "/subscriptions/[YOUR-SUBSCRIPTION-ID]/resourceGroups/[YOUR-RESOURCE-GROUP-NAME]"
       ],
       "permissions": [
           {
               "actions": [
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.ContainerService/managedClusters/write",
                    "Microsoft.ContainerService/managedClusters/agentPools/read",
                    "Microsoft.ContainerService/managedClusters/agentPools/write",
                    "Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
                    "Microsoft.ContainerService/managedClusters/agentPools/delete",
                    "Microsoft.ContainerService/managedClusters/delete",
                    "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
                    "Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Storage/storageAccounts/write",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                    "Microsoft.Compute/virtualMachineScaleSets/write",
                    "Microsoft.Network/virtualNetworks/subnets/join/action",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Insights/diagnosticSettings/write",
                    "Microsoft.Insights/metrics/read",
                    "Microsoft.Insights/metricDefinitions/read"
                ],
               "notActions": [],
               "dataActions": [],
               "notDataActions": []
           }
       ]
   }
}
  2. Assign the custom role to the app registration that you earlier created on the Azure Portal. For instructions, see Create an app registration and assign a role to it.