Set up minimum permissions

The minimum permissions for Cloudera Machine Learning on Azure govern access control between the ML workspace, Azure resources, and the Azure storage account.

To set up the minimum permissions, you first create a custom role that contains those permissions, and then assign that role to a credential, called an app registration, in your Azure subscription.

  1. Create the custom role.

    The following code example creates a custom role for CML and assigns the minimum permissions needed. The permissions are listed in the actions section, so that CML can access resources and operate correctly. You need to substitute your own <customer-subscription-id>. The roleName is a suggestion only; a different name can be used instead.

    az role definition update --role-definition '
        {
        "assignableScopes":[
        "/subscriptions/<customer-subscriber-id>"
        ],
        "description":"",
        "permissions":[
            {
                "actions":[
                    "Microsoft.ContainerService/managedClusters/*",
                    "Microsoft.Compute/virtualMachineScaleSets/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/delete",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/*",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
                ],
                "dataActions":[
                
                ],
                "notActions":[
                
                ],
                "notDataActions":[
                
                ]
            }
        ],
        "roleName":"cloudera-machine-learning",
        "roleType":"CustomRole",
        "type":"Microsoft.Authorization/roleDefinitions"
        }'

    Alternatively, to create a custom role in the Azure portal, click Subscription > <your-subscription> > Access Control (IAM) > + Add > Add custom role (preview).

  2. Add the custom role to the app registration. Select Subscriptions > Access control (IAM) > + Add > Add role assignment. In Role, select the name of the custom role (for example, cloudera-machine-learning) you created before.
  3. Add a Contributor role for the storage account to the app based credential. In Subscriptions, find your subscription and go to Resources, select the storage account to use for CML, then Access control (IAM) > +Add > Add role assignment. In Role, select Contributor, and in Select, select the cloudera-machine-learning custom role.