The minimum permissions for Cloudera Machine Learning on Azure govern access control
between the ML workspace, Azure resources, and the Azure storage account.
To set up the minimum permissions, you first create a custom role that contains those
permissions, and then assign that role to a credential, called an app registration,
in your Azure subscription.
-
Create the custom role.
The following code example creates a custom role for CML and assigns the minimum permissions
needed. The permissions are listed in the actions
section, so that CML can
access resources and operate correctly. You need to substitute your own
<customer-subscription-id>
. The roleName
is a suggestion
only; a different name can be used instead.
az role definition update --role-definition '
{
"assignableScopes":[
"/subscriptions/<customer-subscriber-id>"
],
"description":"",
"permissions":[
{
"actions":[
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
],
"dataActions":[
],
"notActions":[
],
"notDataActions":[
]
}
],
"roleName":"cloudera-machine-learning",
"roleType":"CustomRole",
"type":"Microsoft.Authorization/roleDefinitions"
}'
Alternatively, to create a custom role in the Azure portal, click .
-
Add the custom role to the app registration. Select .
In Role, select the name of the custom role (for example,
cloudera-machine-learning
) you created before.
-
Add a Contributor role for the storage account to the
app based credential. In Subscriptions, find your
subscription and go to Resources, select the storage
account to use for CML, then .
In Role, select
Contributor, and in Select,
select the
cloudera-machine-learning
custom role.