User Isolation

Describes user isolation in HPE Ezmeral Unified Analytics Software.

When an HPE Ezmeral Unified Analytics Software administrator adds a new user to HPE Ezmeral Unified Analytics Software, the system automatically assigns each user a user-designated workspace. User-designated workspaces isolate each user's applications and objects from other users in the cluster. If a user wants to share their work, they can do so by setting access controls directly on the objects they create or by changing the namespace in which their applications run.

HPE Ezmeral Unified Analytics Software bundles applications with different isolation mechanisms and assurances. For example, HPE Ezmeral Unified Analytics Software bundles cloud-native applications and open-source web applications. Cloud-native applications such as Kubeflow use namespaces to isolate users, whereas web applications such as open-source Airflow and Superset require customized changes to the open-source code to support user isolation and roles in HPE Ezmeral Unified Analytics Software. Customization entails mapping the HPE Ezmeral Unified Analytics Software user role to permissions in the open-source applications.

The following table summarizes user isolation in HPE Ezmeral Unified Analytics Software with regard to HPE Ezmeral Unified Analytics Software user roles and application permission mappings, as well as the result of changing user roles and deleting users on applications and objects:
MLflow Airflow Superset Spark
Admin
  • Assumes admin role
  • View/Edit access on all experiments
  • Does not have personal models or experiments
  • Assumes admin role
  • View/Edit access on all DAGs
  • Does not have personal DAGs
  • Assumes admin role
  • View/Edit access on all dashboards, datasets, and charts
  • Does not have personal dashboards
  • N/A (no role hierarchy in Spark)
  • Can only view/access personal Spark jobs
Member
  • Assumes member role
  • Can only view/access personal experiments
  • No access to other users' experiments and models
  • Assumes custom role (segregated)
  • Must explicitly define own role when creating DAGs to keep private; otherwise, DAGs are shared
  • Assumes customized Alpha role with added permissions to create database connections
  • Must explicitly define own role when creating DAGs to keep private; otherwise, DAGs are shared
  • Can view all dashboards and create charts based on all dashboards.
  • Cannot edit the dashboards
  • N/A (no role hierarchy in Spark; similar to Kubeflow)
  • Can only view/access personal Spark jobs
Running in user namespace N/A Yes N/A Yes
User role propagation Yes Yes Yes N/A (no role hierarchy in Spark)
User deletion Objects remain untouched; only admins have access DAGs remain untouched; only admins have access Objects remain untouched; only admins have access Jobs are removed with the user namespace
IMPORTANT
Do not modify user roles or permissions in the applications that users access through HPE Ezmeral Unified Analytics Software. Modifying roles or permissions directly in an application can break the mapping between the HPE Ezmeral Unified Analytics Software user role and application permission setting. For example, do not assign an HPE Ezmeral Unified Analytics Software member the Admin role in the Superset application. If you want a user to have admin-level permissions in Superset, add the admin role to the user directly in HPE Ezmeral Unified Analytics Software. Changing a user’s role to admin in HPE Ezmeral Unified Analytics Software grants the user access to the Administration settings in HPE Ezmeral Unified Analytics Software. To edit a user role, see Adding and Removing Users .
The following topics describe user isolation in more detail for each of the applications that curenntly support user isolation: