Azure permissions

As an administrator, you must be able to create and manage the resources in the Azure subscription where CDP users create clusters and run jobs. You must be able to perform all administrative tasks and have administrative rights to all resources.

Cloudera recommends that the administrator has the role of Owner in the Azure subscription and the Application Developer role or higher in the Azure Active Directory.

The administrator must create a custom role containing the following permissions:

{
    "Name": "cloudbreak operator msi extended",
    "Description": "Can use Cloudbreak managed clusters and resources, now extended with MSI rights, 28.11.2019.",
    "Actions": [
      "Microsoft.Storage/*/read",
      "Microsoft.Storage/storageAccounts/write",
      "Microsoft.Storage/storageAccounts/blobServices/write",
      "Microsoft.Storage/storageAccounts/blobServices/containers/*",
      "Microsoft.Storage/storageAccounts/listkeys/action",
      "Microsoft.Storage/storageAccounts/regeneratekey/action",
      "Microsoft.Storage/storageAccounts/delete",
      "Microsoft.Storage/locations/deleteVirtualNetworkOrSubnets/action",
      "Microsoft.Network/virtualNetworks/*",
      "Microsoft.Network/publicIPAddresses/*",
      "Microsoft.Network/networkInterfaces/*",
      "Microsoft.Network/networkSecurityGroups/*",
      "Microsoft.Network/*/read",
      "Microsoft.Compute/availabilitySets/*",
      "Microsoft.Compute/disks/*",
      "Microsoft.Compute/images/*",
      "Microsoft.Compute/virtualMachines/*",
      "Microsoft.Compute/*/read",
      "Microsoft.Authorization/*/read",
      "Microsoft.DataLakeStore/*/read",
      "Microsoft.Features/*/read",
      "Microsoft.ResourceHealth/*/read",
      "Microsoft.Resources/subscriptions/resourceGroups/*",
      "Microsoft.Resources/deployments/*",
      "Microsoft.Resources/*/read",
      "Microsoft.Support/*",
      "Microsoft.ManagedIdentity/userAssignedIdentities/write",
      "Microsoft.ManagedIdentity/userAssignedIdentities/read",
      "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
      "Microsoft.DBforPostgreSQL/servers/write",
      "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/write"
    ],
    "NotActions": [],
    "DataActions": [
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
    ],
    "NotDataActions": [],
    "AssignableScopes": [
      "/subscriptions/a9d4456e-349f-44f6-bc73-54a8d523e504"
    ]
  }