Authorization
Authorization is the process of verifying that an authenticated entity (such as a user) has access to a resource and can perform a desired action. Ververica Platform implements a simple yet powerful authorization model based on preset roles.
We first describe our preset roles and then show how to bind a role to an entity such as a user or group.
Roles
Roles grant permissions to access resources. They specify which resources can be accessed and how they can be accessed. The following roles are available:
- Viewer: read-only access to all resources within a Namespace, except for Secret Values and some special endpoints in the Apache Flink® UI.
- Editor: read and write access to all resources within a Namespace except Deployment Targets and API Tokens.
- Owner: full access within a Namespace.
- Admin: read and write access to all Namespace resources (but no implicit access to individual Namespaces or their subresources).
| Resource | Viewer | Editor | Owner | Admin |
|---|---|---|---|---|
| Artifacts | List, GetMetadata | All | All | None |
| ApiToken | None | None | All | None |
| DeploymentDefaults | Get | Get | All | None |
| DeploymentTarget | List, Get | List, Get | All | None |
| {flink} UI | Get* | All | All | None |
| Namespace | None | None | Get, Update | All |
| SecretValue | None | All | All | None |
| All Others | List, Get | All | All | None |
* Except for TaskManager thread dumps, datasets and job cancellation requests.
Role Bindings
In order to assign a role to an authenticated entity such as a user or a group, a role has to be explicitly bound to it.
The Namespace resource allows to assign individual users and groups to roles viewer, editor, and owner. All assigned roles are scoped to the respective Namespace and don't imply any permissions in other Namespaces.
Members can be individual users, groups, or system-level groups:
user:foo@bar.commatches the userfoo@bar.com.group:vvp-editorsmatches users in the groupvvp-editors.system:authenticatedmatches all authenticated users.
Example: Assign roles in a Namespace
{
"namespace": {
"name": "namespaces/foo",
"roleBindings": [
{
"role": "viewer",
"members": [ "system:authenticated" ]
},
{
"role": "editor",
"members": [ "group:vvp-editors" ]
},
{
"role": "owner",
"members": [ "user:foo@bar.com" ]
}
]
}
}
In the example above any authenticated user is assigned the viewer role. All members of the vvp-editors group are assigned the editor role. The user authenticated as foo@bar.com is assigned the owner role.
Administrators
The admin role is configured on a global level in the main configuration file of Ververica Platform.
Administrators get full read/write access to Namespace resources. However, the admin role does not imply access to resources within a Namespace unless additional permissions are explicitly granted as shown above.
vvp:
auth:
enabled: true
# A list of users and groups that are granted the admin role.
# - `user:foo@bar.com` matches the user `foo@bar.com`
# - `group:vvp-admins` matches users group `vvp-admins`
# - `system:authenticated` matches all authenticated users
admins:
- user:foo@bar.com
API Tokens
API Tokens are a namespaced resource that allows non-interactive/machine to machine access to Ververica Platform. They have a designated role as part of their specification.