Set up minimum permissions
The minimum permissions for Cloudera Machine Learning on Azure govern access control between the Cloudera Machine Learning Workspace, Azure resources, and the Azure storage account.
To set up the minimum permissions, you first create a custom role that contains those permissions, and then assign that role to a credential, called an app registration, in your Azure subscription.
Create the custom role.
The following code example creates a custom role for Cloudera Machine Learning and assigns the
minimum permissions needed. The permissions are listed in the
actions
section, so that Cloudera Machine Learning can access resources and
operate correctly.
You need to substitute the following values:
[YOUR-SUBSCRIPTION-ID]
: Your subscription ID in use.[YOUR-RESTRICTED-ROLE-NAME]
: The custom role name which is assigned to the application.[YOUR-SINGLE-RESOURCE-GROUP]
: The original resource group name.
{
"properties": {
"roleName": [YOUR-RESTRICTED-ROLE-NAME],
"description": "Custom restricted role for liftie",
"isCustom": true,
"assignableScopes": [
"/subscriptions/[YOUR-SUBSCRIPTION-ID]/resourceGroups/[YOUR-SINGLE-RESOURCE-GROUP]"
],
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.ContainerService/managedClusters/agentPools/write",
"Microsoft.ContainerService/managedClusters/upgradeProfiles/read",
"Microsoft.ContainerService/managedClusters/agentPools/delete",
"Microsoft.ContainerService/managedClusters/delete",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Insights/diagnosticSettings/write",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}