Access control#

Dell Data Processing Engine lets platform administrators grant or revoke specific user privileges by integrating with Dell Data Analytics Engine, powered by Starburst Enterprise platform (SEP)’s built-in access control (BIAC).

View roles#

In the Access control section of the Starburst Enterprise web UI, select Roles and privileges from the sidebar to view a list of your roles and basic information for each one:

Roles and privileges

The following information is displayed:

  • Role name: The name given to the role. Click on the role name to view the Details dialogue for that role.

  • Role description: The description given to the role.

Click the options menu for a role to view its details dialog, assign new entities to the role, or delete the role.

Note

Only roles assigned to the current role are visible.

Create role#

To create a new role:

  1. Click Create role.

  2. In the Add a new role dialog, enter a name and description for the new role.

  3. Click Add role.

Assign entities to a role#

To assign an entity to a role:

Assign user to role

  1. Click Assign in the options menu for the role you want to assign entities to.

  2. In the Entity category drop-down menu, select the type of entity to be assigned. You can choose user, group, or role.

  3. In the entity field, enter the user, group, or role that you would like to assign to the role.

  4. Optionally allow the assigned entity to delegate these privileges to other entities

  5. Click Assign.

When the Allow [user/group/role] receiving privilege to grant to others toggle is clicked during role assignment, the entity being granted the role is given the ability to assign that same role to other entities. For example, if you assign the data_analyst role to user alice and click this toggle, alice is able to assign the data_analyst role to other users, groups, and roles.

Grant or revoke privileges#

You can grant or revoke Dell Data Processing Engine privileges to a role from the role’s details dialog. You can open the details dialog by either clicking the role name or by clicking Details in the role’s options menu:

Role details

  1. Click Add privileges.

  2. For Dell Data Processing Engine privileges, select the Other radio button.

Read the entity type sections to learn more about the Dell Data Processing Engine entities and the available privileges:

Spark Connect servers#

To grant or revoke privileges related to Spark Connect servers:

  1. Choose whether to Allow or Deny a privilege.

  2. Select All privileges below or select specific privileges to grant or deny.

  3. If you are granting a privilege, choose whether to give the role the ability to grant the privileges to other entities.

  4. Click Save privileges.

The following privileges are available:

Spark Connect server privileges#

Privilege

Description

MANAGE

  • Access detailed statuses and logs for all existing Spark Connect servers.

  • Delete existing Spark Connect servers.

CREATE

  • Create Spark Connect servers.

  • Access detailed statuses and logs for Spark Connect servers created by this user.

  • Delete Spark Connect servers created by this user.

Spark jobs#

To grant or revoke privileges related to Spark batch jobs:

  1. Choose to Allow or Deny a privilege.

  2. Select All privileges below or select specific privileges to grant or deny.

  3. If you are granting a privilege, choose whether to give the role the ability to grant the privileges to other entities.

  4. Click Save privileges.

The following privileges are available:

Spark batch jobs privileges#

Privilege

Description

MANAGE

  • Access detailed statuses and logs for all existing Spark batch jobs.

  • Delete all existing Spark batch jobs.

CREATE

  • Create Spark batch jobs.

  • Access detailed statuses and logs for Spark batch jobs created by this user.

  • Delete Spark batch jobs created by this user.

Spark resource pools#

To grant or revoke privileges related to resource pools:

  1. Select All resource pools or use the Resource pools drop-down menu to select specific resource pools.

  2. Choose to Allow or Deny a privilege.

  3. Select the Use privilege.

  4. If you are granting a privilege, choose whether to give the role the ability to grant the privileges to other entities.

  5. Click Save privileges.

The following privilege is available:

Resource pools privileges#

Privilege

Description

USE

  • Use this resource pool when creating Spark batch jobs. Role must also have the CREATE privilege for Spark batch jobs.

  • Use this resource pool when creating Spark Connect servers. Role must also have the CREATE privilege for Spark Connect servers.

  • Create sessions for Spark Connect servers that use this resource pool.

  • Generate S3 pre-signed URLs.

Spark uploads#

To grant or revoke privileges related to Spark uploads:

  1. Choose to Allow or Deny a privilege.

  2. Select All privileges below or select specific privileges to grant or deny.

  3. If you are granting a privilege, choose whether to give the role the ability to grant the privileges to other entities.

  4. Click Save privileges.

The following privileges are available:

Spark Connect server privileges#

Privilege

Description

MANAGE

  • Access all existing uploads.

  • Delete all existing uploads.

CREATE

  • Upload new files or secrets.

  • Access uploads that were created by this user.

  • Delete uploads that were uploaded by this user.

Spark system#

To grant or revoke privileges related to the Spark system:

  1. Choose to Allow or Deny a privilege.

  2. Select the Manage privilege.

  3. If you are granting a privilege, choose whether to give the role the ability to grant the privileges to other entities.

  4. Click Save privileges.

The following privilege is available:

Spark system privileges#

Privilege

Description

MANAGE

  • Perform administrative tasks on the Spark system.

  • Create, update, and delete resource pools.

  • Access system logs and system events.

  • Restart Spark History server.

Other privileges#

View the general BIAC privileges documentation for more information on other entities and related privileges, such as:

Delete role#

To delete an existing role:

  1. In the options menu, click Delete.

  2. In the confirmation dialog, type DELETE and click Yes, delete.

Warning

Deleting a role is permanent and cannot be undone.

Example privilege sets#

The following shows an example privilege set for a Dell Data Processing Engine admin:

Example privilege set for a Dell Data Processing Engine admin#

Entity

Privilege

All roles

Allow: Create

All Spark connect servers

Allow: Create

All Spark connect servers

Allow: Manage

All Spark jobs

Allow: Create

All Spark jobs

Allow: Manage

All Spark resource pools

Allow: Use

Spark system

Allow: Manage

All Spark uploads

Allow: Create

All Spark uploads

Allow: Manage

User interface

Allow: Show

The following shows an example privilege set for a Dell Data Processing Engine user:

Example privilege set for a Dell Data Processing Engine user#

Entity

Privilege

All Spark jobs

Allow: Create

Spark resource pool: default

Allow: Use

User interface: spark runtime

Allow: Show

Limitations#

Switching roles to execute the API is not currently supported for calls from the CLI. The user has all available roles applied when accessing BIAC, with the exception of the sysadmin role.

  • When the operation is coming from the CLI, all roles for a user apply except sysadmin.

  • When the operation is coming from the Starburst Enterprise web UI, the active role applies.

  • When the user views the Spark History server or uses Spark Connect, all roles apply except sysadmin.

When all roles apply, a DENY grant in any role may reduce a user’s access.