Cloudera Docs

Configuring Fine-grained Access Control

Fine-grained Access Control allows administrators to define specific access levels for Model Endpoints for individual users or groups.

Requirements

To use fine-grained access control, your environment must meet the following version and role requirements.

Supported Cloudera Environment Datalake Versions
  • 7.2.18.1100
  • 7.3.1.500
  • 7.3.2
Required Resource roles: Users creating, modifying, or accessing Model Endpoints must have the following resource roles assigned:
  • EnvironmentUser and MLUser or
  • MLAdmin

Enabling Fine-grained Authorization

Fine-grained authorization is disabled by default. You must enable it to define specific access levels for Model Endpoints for individual users or groups.

  1. In the Cloudera console, click the Cloudera AI tile.

    The Cloudera AI Home page displays.

  2. Click AI Inference Services under ADMINISTRATION on the left navigation menu.

    The AI Inference Services page is displayed.

  3. Select a Cloudera AI Inference service instance to access its Details page.
  4. Locate the Access Control section.
  5. Use the Enable Access Control toggle to enable it.

Authorization Workflow

Cloudera AI Inference service performs authorization based on the feature state:
  • Enabled: Knox performs initial authentication and coarse-grained authorization, then Ranger is added to the authorization chain as the final step to validate access to specific resources.
  • Disabled: Knox performs authentication and coarse-grained authorization by checking for the MLUser or MLAdmin resource roles.

Access Levels

You can specify one of three access levels for Model Endpoints for each user or group. You can configure only one access level at a time for each unique user or group using Model Endpoint Permissions API.

  • View: The model endpoint appears in the Model Endpoints list and the listEndpoints API. Users can access model endpoint metadata.
  • Access: The user or group run inference on the model endpoint.
  • Manage: The user or group can view the endpoint, run inference, and modify or delete the endpoint.

Accessing Audit Log for denied requests

When Fine Grained Access Control is enabled, the system generates audit logs for denied requests.

  1. In the Cloudera console, click the Cloudera AI tile.

    The Home page displays.

  2. Click AI Inference Services under ADMINISTRATION on the left navigation menu.

    The AI Inference Services page is displayed.

  3. Click on the Environment name of the Cloudera AI Inference service instance.

    The Cloudera Management Console page displays.

  4. In the Cloudera Management Console page, click Data Lake.
  5. In the Data Lake page, click Ranger.

    Ranger's Service Manager page displays.

  6. Click Audits > Access in the left navigation pane.
  7. In the Search bar, select the filter Service Name with value .
  8. Click on the Public ID link to view the log files.