Authorization in Data Fabric

Describes the basics of authorization including Access Control Lists and Access Control Expressions.

Authorization restricts what an authenticated user can do with data. Data Fabric enables you to create flexible authorization systems that grant a user capabilities to perform desired tasks, but prevents the user from performing tasks outside of that scope. Use a combination of Access Control Lists and Access Control Expressions to set up a flexible authorization system.

Access Control Lists

Data Fabric supports Access Control Lists (ACLs) in several areas, including for regulating user privileges to the job queue and cluster. Data Fabric also uses ACLs to control administrative access to volumes (administrative access is distinct from data access).

An Access Control List (ACL) is a list of users or groups. Each user or group in the list is paired with a defined set of permissions that limit the actions that the user or group can perform on the object secured by the ACL. In data-fabric, the objects secured by ACLs are the job queue, volumes, and the cluster itself.

A job queue ACL controls who can submit jobs to a queue, kill jobs, or modify their priority. A volume-level ACL controls which users and groups have administrative access to that volume, and what actions they may perform, such as mirroring the volume, altering the volume properties, dumping or backing up the volume, or deleting the volume.

Access Control Expressions

Data Fabric also provides a more powerful authorization known as Access Control Expressions. Access Control Expression (ACE)s allow you to control access using powerful boolean logic expressions. You can use ACEs to control data access to data-fabric tables, files, directories, volumes, and streams. The file system also supports standard POSIX filesystem permission levels.

An ACE is a combination of user, group, and role definitions. A role is a custom defined name that is determined and implemented by your custom authorization code. It can be a property of a user or group that defines a set of behaviors that the user or group performs regularly. You can use ACEs to secure files, directories, volumes, tables, and streams that use native storage.

See the Configuring Data-Fabric Security section for information about the procedures for setting up and modifying ACLs and ACEs for the cluster, the volumes on the cluster, the job queue, the data-fabric filesystem, and the natively stored data-fabric tables and streams.