How to migrate by resource type

This topic lists all resource types and includes recommendations as to what roles should be assigned to each resource in place of the deprecated roles.

Credential

  • Previously accessible by:
    • Account roles: PowerUser, EnvironmentAdmin (Deprecated)
  • Admin privilege: The Owner role grants full rights on the credential, including the ability to delete it.
  • Least privilege: The SharedResourceUser resource role grants the right to create an environment with the specified credential (as long as you also have the EnvironmentCreator role required for registering an environment).

To grant admin access to a credential, you can assign Owner over the specific credential to a user or group from the CDP web interface > Shared Resources > Credentials page by navigating to credential details page and clicking Manage Access. This needs to be done separately for each credential.

Or you can do it from CDP CLI. For example:

  • To assign Owner over a credential to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:Owner \ 
      --resource-crn <CREDENTIAL-CRN>
  • To assign Owner over a credential to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \ 
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:Owner \
      --resource-crn <CREDENTIAL-CRN>

To allow a user to register an environment with the credential, you can assign SharedResourceUser over a specific credential to a user or group from the CDP web interface > Shared Resources > Credentials page by navigating to credential details page and clicking Manage Access. This needs to be done separately for each credential.

Or you can do it from CDP CLI. For example:

  • To assign SharedResourceUser over a credential to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:SharedResourceUser \ 
      --resource-crn <CREDENTIAL-CRN>
  • To assign SharedResourceUser over a credential to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \ 
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:SharedResourceUser \
      --resource-crn <CREDENTIAL-CRN>

Environment

  • Previously accessible by:
    • Account roles: PowerUser, EnvironmentAdmin (Deprecated), EnvironmentUser (Deprecated)
    • Resource roles: EnvironmentAdmin, EnvironmentUser
  • Admin privilege: Owner and EnvironmentAdmin combined grant full rights on the environment. While Owner can manage and delete the environment, EnvironmentAdmin can administer Data Lake and Data Hub clusters. It is also worth mentioning the DataSteward role, which grants permission to perform user/group management functions in Ranger and Atlas Admin, start user sync, and manage ID Broker mappings.
  • Least privilege: EnvironmentUser is able to browse the environment and has access to the clusters running within the environment.

If you have previously assigned the EnvironmentAdmin, EnvironmentUser resource roles, you do not need to make any changes. However, if you have previously assigned the deprecated EnvironmentAdmin and EnvironmentUser account roles, you should migrate to the resource roles.

For example, to allow basic access, you can assign EnvironmentUser over the specific environment to a user or group from the CDP web interface from the environment details page via the Manage Access option available from the Actions menu. This needs to be done separately for each environment for which you want the user or group to be a user.

Or you can do it from CDP CLI. For example:

  • To assign EnvironmentUser over an environment to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentUser \ 
      --resource-crn <ENVIRONMENT-CRN>
  • To assign EnvironmentUser over an environment to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:EnvironmentUser \
      --resource-crn <ENVIRONMENT-CRN>

You need to run this command for each environment for which you want the user or group to be a user.

Data Hub

  • Previously accessible by:
    • Account roles: PowerUser, EnvironmentAdmin (Deprecated), EnvironmentUser (Deprecated)
    • Resource roles: EnvironmentAdmin, EnvironmentUser
  • Admin privilege: The Owner resource role assigned at the scope of the Data Hub grants the ability to manage the Data Hub cluster on the Management Console level, including the ability to delete the Data Hub. Cluster administration actions are provided by the EnvironmentAdmin role assigned on the environment where the Data Hub is running.
  • Least privilege: The EnvironmentUser resource role granted on the environment where the Data Hub is running provides the ability to browse the Data Hub cluster.

For user access to the Data Hub, the EnvironmentUser resource role granted on the environment where the Data Hub is running is sufficient for browsing the cluster. You do not need to assign any additional roles.

For admin access to the Data Hub, you can assign the Owner role over a specific Data Hub cluster from CDP CLI. For example:

  • To assign Owner over a Data Hub cluster to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:Owner \
      --resource-crn <DATAHUB-CRN>
  • To assign Owner over a Data Hub cluster to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:Owner \
      --resource-crn <DATAHUB-CRN>

Image catalog, recipe, cluster template

  • Previously accessible by:
    • Account roles: PowerUser
  • Admin privilege: Owner grants the ability to manage the shared resource (including the ability to delete it).
  • Least privilege: Any resource that exists outside of an environments context can be shared by its Owner through the special SharedResourceUser role. For example, assigning the SharedResourceUser role over a custom image catalog to a user, allows the user to create a Data Hub cluster using that custom image catalog.

To grant admin access to a shared resource, you can assign Owner over the specific shared resource to a user or group from the CDP web interface > Shared Resources > Credentials page by navigating to shared resource details page and clicking Manage Access. This needs to be done separately for each credential.

Or you can do it from CDP CLI. For example:

  • To assign Owner over a credential to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:Owner \ 
      --resource-crn <SHARED-RESOURCE-CRN>
  • To assign Owner over a credential to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \ 
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:Owner \
      --resource-crn <SHARED-RESOURCE-CRN>

To grant admin access to a shared resource, you can assign SharedResourceUser over the specific shared resource to a user or group from the CDP web interface > Shared Resources by clicking on the resource, navigating to the resource details page and clicking Manage Access. This needs to be done separately for each credential.

You can assign the SharedResourceUser role over a specific shared resource from CDP CLI. For example:

  • To assign SharedResourceUser over a resource to a user:
    cdp iam assign-user-resource-role --user <USER-CRN> \ 
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:SharedResourceUser \
      --resource-crn <RESOURCE-CRN>
  • To assign SharedResourceUser over a resource to a group:
    cdp iam assign-group-resource-role --group-name <GROUP-NAME-OR-CRN> \
      --resource-role-crn crn:altus:iam:us-west-1:altus:resourceRole:SharedResourceUser \
      --resource-crn <RESOURCE-CRN>