Setting up minimum permissions

The minimum permissions for Cloudera DataFlow on Azure govern access control between Azure resources, the Azure storage account, and Cloudera DataFlow. The minimum permissions that allow for enabling/disabling Cloudera DataFlow and deploying/undeploying flows can be set using a custom role.

  • You have registered an application on the Azure Portal. For instructions, see Create an app registration and assign a role to it.
  • You have created an app-based provisioning credential in your Azure subscription. For instructions, see Create a provisioning credential for Azure.
  1. Create a custom role that contains the minimum permissions.

    The following role definition outlines the minimum permissions required to create a custom role for Cloudera DataFlow. The permissions are listed in the Actions section, so that Cloudera DataFlow can access resources and operate correctly.

    When using the role defintiion, replace the following values:

    • [YOUR-SUBSCRIPTION-ID]: Your subscription ID in use.
    • [YOUR-RESTRICTED-ROLE-NAME]: The custom role name which is assigned to the application. For example: Cloudera Dataflow Azure Operator for Single Resource Group
    • [YOUR-RESOURCE-GROUP-NAME]: The original resource group name.
    {
       "properties": {
           "roleName": [YOUR-RESTRICTED-ROLE-NAME],
           "description": "Custom restricted role for liftie",
           "isCustom": true,
           "assignableScopes": [
               "/subscriptions/[YOUR-SUBSCRIPTION-ID]/resourceGroups/[YOUR-RESOURCE-GROUP-NAME]"
           ],
           "permissions": [
               {
                   "actions": [
                        "Microsoft.ContainerService/managedClusters/read",
                        "Microsoft.ContainerService/managedClusters/write",
                        "Microsoft.ContainerService/managedClusters/agentPools/read",
                        "Microsoft.ContainerService/managedClusters/agentPools/write",
                        "Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
                        "Microsoft.ContainerService/managedClusters/agentPools/delete",
                        "Microsoft.ContainerService/managedClusters/delete",
                        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
                        "Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read",
                        "Microsoft.Storage/storageAccounts/read",
                        "Microsoft.Storage/storageAccounts/write",
                        "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                        "Microsoft.Compute/virtualMachineScaleSets/write",
                        "Microsoft.Network/virtualNetworks/subnets/join/action",
                        "Microsoft.Network/virtualNetworks/subnets/read",
                        "Microsoft.Insights/diagnosticSettings/write",
                        "Microsoft.Insights/metrics/read",
                        "Microsoft.Insights/metricDefinitions/read",
                        "Microsoft.DBforPostgreSQL/flexibleServers/write",
                        "Microsoft.DBforPostgreSQL/flexibleServers/delete",
                        "Microsoft.DBforPostgreSQL/flexibleServers/start/action",
                        "Microsoft.DBforPostgreSQL/flexibleServers/read",
                        "Microsoft.DBforPostgreSQL/flexibleServers/stop/action",
                        "Microsoft.DBforPostgreSQL/flexibleServers/configurations/write",
                        "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write", 
                        "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write",
                        "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/read",
                        "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/*" 
                    ],
                   "notActions": [],
                   "dataActions": [],
                   "notDataActions": []
               }
           ]
       }
    }
  2. Assign the custom role to the app registration that you earlier created on the Azure Portal. For instructions, see Create an app registration and assign a role to it.