Cloudera Docs

Set up minimum permissions

The minimum permissions for Cloudera Machine Learning on Azure govern access control between the ML workspace, Azure resources, and the Azure storage account.

To set up the minimum permissions, you first create a custom role that contains those permissions, and then assign that role to a credential, called an app registration, in your Azure subscription.

Create the custom role.

The following code example creates a custom role for CML and assigns the minimum permissions needed. The permissions are listed in the actions section, so that CML can access resources and operate correctly.

You need to substitute the following values:
  • [YOUR-SUBSCRIPTION-ID]: Your subscription ID in use.
  • [YOUR-RESTRICTED-ROLE-NAME]: The custom role name which is assigned to the application.
  • [YOUR-SINGLE-RESOURCE-GROUP]: The original resource group name.
{
   "properties": {
       "roleName": [YOUR-RESTRICTED-ROLE-NAME],
       "description": "Custom restricted role for liftie",
       "isCustom": true,
       "assignableScopes": [
           "/subscriptions/[YOUR-SUBSCRIPTION-ID]/resourceGroups/[YOUR-SINGLE-RESOURCE-GROUP]"
       ],
       "permissions": [
           {
               "actions": [
                   "Microsoft.ContainerService/managedClusters/read",
                   "Microsoft.ContainerService/managedClusters/write",
                   "Microsoft.ContainerService/managedClusters/agentPools/read",
                   "Microsoft.ContainerService/managedClusters/agentPools/write",
                   "Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
			"Microsoft.ContainerService/managedClusters/agentPools/delete",
                   "Microsoft.ContainerService/managedClusters/delete",
                   "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
                   "Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read",
                   "Microsoft.Storage/storageAccounts/read",
                   "Microsoft.Storage/storageAccounts/write",
                   "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                   "Microsoft.Compute/virtualMachineScaleSets/write",
                   "Microsoft.Network/virtualNetworks/subnets/join/action",
                   "Microsoft.Network/virtualNetworks/subnets/read",
                   "Microsoft.Network/routeTables/read",
                   "Microsoft.Network/routeTables/write",
                   "Microsoft.Network/routeTables/routes/read",
                   "Microsoft.Network/routeTables/routes/write"
               ],
               "notActions": [],
               "dataActions": [],
               "notDataActions": []
           }
       ]
   }
}