Authorization

Note

This feature is only available in Ververica Platform Stream Edition and above.

Authorization is the process of verifying that an authenticated entity (such as a user) has access to a resource and can perform a desired action. Ververica Platform implements a simple yet powerful authorization model based on preset roles.

We first describe our preset roles and then show how to bind a role to an entity such as a user or group.

Roles

Roles grant permissions to access resources. They specify which resources can be accessed and how they can be accessed. The following roles are available:

  • Viewer: read-only access to all resources within a Namespace, except for Secret Values and some special endpoints in the Apache Flink® UI.
  • Editor: read and write access to all resources within a Namespace except Deployment Targets and API Tokens.
  • Owner: full access within a Namespace.
  • Admin: read and write access to all Namespace resources (but no implicit access to individual Namespaces or their subresources).
Resource Viewer Editor Owner Admin
Artifacts List, GetMetadata All All None
ApiToken None None All None
DeploymentDefaults Get Get All None
DeploymentTarget List, Get List, Get All None
Apache Flink® UI Get* All All None
Namespace None None Get, Update All
SecretValue None All All None
All Others List, Get All All None

* Except for TaskManager thread dumps, datasets and job cancellation requests.

Role Bindings

In order to assign a role to an authenticated entity such as a user or a group, a role has to be explicitily bound to it.

The Namespace resource allows to assign individual users and groups to roles viewer, editor, and owner. All assigned roles are scoped to the respective Namespace and don’t imply any permissions in other Namespaces.

Members can be invididual users, groups, or system-level groups:

  • user:foo@bar.com matches the user foo@bar.com.
  • group:vvp-editors matches users in the group vvp-editors.
  • system:authenticated matches all authenticated users.

Example: Assign roles in a Namespace

{
  "namespace": {
    "name": "namespaces/foo",
    "roleBindings": [
      {
        "role": "viewer",
        "members": [ "system:authenticated" ]
      },
      {
        "role": "editor",
        "members": [ "group:vvp-editors" ]
      },
      {
        "role": "owner",
        "members": [ "user:foo@bar.com" ]
      }
    ]
  }
}

In the example above any authenticated user is assigned the viewer role. All members of the vvp-editors group are assigned the editor role. The user authenticated as foo@bar.com is assigned the owner role.

Administrators

The admin role is configured on a global level in the main configuration file of Ververica Platform.

Administrators get full read/write access to Namespace resources. However, the admin role does not imply access to resources within a Namespace unless additional permissions are explicitly granted as shown above.

vvp:
  auth:
    enabled: true
    # A list of users and groups that are granted the admin role.
    # - `user:foo@bar.com` matches the user `foo@bar.com`
    # - `group:vvp-admins` matches users group `vvp-admins`
    # - `system:authenticated` matches all authenticated users
    admins:
    - user:foo@bar.com

API Tokens

API Tokens are a namespaced resource that allows non-interactive/machine to machine access to Ververica Platform. They have a designated role as part of their specification.