Set Object Policy for a Cluster¶
You can set a policy for an individual object and restrict users or groups from accessing the object. This overrides the access granted to the object at the account-level in the Control Panel. For more information, see Managing Roles.
Managing Cluster Permissions through the UI describes how to set cluster permissions through the QDS UI.
Note
Understanding the Soft-enforced Cluster Permissions provides the list of cluster permissions that would be enforced with one cluster permission.
-
PUT
/api/v1.2/object_policy/policy
¶
Use this API to set an object policy. Qubole supports object policy API on notebooks and clusters. This section describes setting an object policy for a cluster.
Note
If you allow a user with a permission who is part of the group that has restricted access, then that user is allowed access and vice versa. For more information, see Understanding the Precedence of Cluster Permissions.
Required Role¶
The following users can make this API call:
- Users who belong to the system-admin group or owner of the object.
- Users who belong to a group associated with a role that allows setting an object policy. See Managing Groups and Managing Roles for more information.
Parameters¶
Note
Parameters marked in bold are mandatory. Others are optional and have default values.
Parameter | Description |
---|---|
source_id | It specifies the ID of the object based on the source_type . |
source_type | It specifies the object. It must be a cluster for a cluster. |
policy | Array of policies to be assigned to a cluster. Each policy include following parameters: Note Escape the values of policy elements and corresponding values except the user ID value and group ID value.
|
Request API Syntax¶
curl -X PUT -H "X-AUTH-TOKEN: <API-TOKEN>" -H "Content-Type: application/json" -H "Accept: application/json" \
-d '{"source_id":"<Object_ID>", "source_type": "<Object>",
"policy": "[{\"access\":\"<Access>\",\"condition\":{\"qbol_users\":[<User ID>]},\"action\":[\"<Actions>\"]},
{\"access\":\"<Access>\",\"condition\":{\"qbol_groups\":[<Group ID>]},\"action\":[\"<Actions>\"]},
{\"access\":\"<Access>\",\"condition\":{\"qbol_users\":[<User ID>],\"qbol_groups\":[<Group ID>]},\"action\":[\"<Actions>\"]}]"}' \
"https://gcp.qubole.com/api/v1.2/object_policy/policy"
Sample API Request¶
Here is a sample API call to set an object policy for a cluster with its ID as 2001.
curl -X PUT -H "X-AUTH-TOKEN: <API-TOKEN>" -H "Content-Type: application/json" -H "Accept: application/json" \
-d '{"source_id":"2001", "source_type": "cluster",
"policy": "[{\"access\":\"allow\",\"condition\":{\"qbol_users\":[1715]},\"action\":[\"read\"]},
{\"access\":\"allow\",\"condition\":{\"qbol_groups\":[2352]},\"action\":[\"read\",\"update\"]},
{\"access\":\"deny\",\"condition\":{\"qbol_users\":[1715],\"qbol_groups\":[2352]},\"action\":[\"all\"]}]"}' \
"https://gcp.qubole.com/api/v1.2/object_policy/policy"