Describes user isolation in HPE Ezmeral Unified Analytics Software.
When an HPE Ezmeral Unified Analytics Software
administrator adds a new user to HPE Ezmeral Unified Analytics Software, the system automatically assigns each user a user-designated workspace.
User-designated workspaces isolate each user's applications and objects from other users in
the cluster. If a user wants to share their work, they can do so by setting access controls
directly on the objects they create or by changing the namespace in which their applications
run.
HPE Ezmeral Unified Analytics Software bundles
applications with different isolation mechanisms and assurances. For example, HPE Ezmeral Unified Analytics Software bundles cloud-native
applications and open-source web applications. Cloud-native applications such as Kubeflow use
namespaces to isolate users, whereas web applications such as open-source Airflow and Superset
require customized changes to the open-source code to support user isolation and roles in
HPE Ezmeral Unified Analytics Software. Customization
entails mapping the HPE Ezmeral Unified Analytics Software user role (member or admin) to permissions in the open-source
applications.
The following table summarizes user isolation in
HPE Ezmeral Unified Analytics Software with regard to
HPE Ezmeral Unified Analytics Software user roles (admin and member) and application permission
mappings, as well as the result of changing user roles and deleting users on applications and
objects:
|
MLflow |
Airflow |
Superset |
Spark |
| Admin
|
- Assumes admin role
- View/Edit access on all experiments
- Does not have personal models or experiments
|
- Assumes admin role
- View/Edit access on all DAGs
- Does not have personal DAGs
|
- Assumes admin role
- View/Edit access on all dashboards, datasets, and charts
- Does not have personal dashboards
|
- N/A (no role hierarchy in Spark)
- Can only view/access personal Spark jobs
|
| Member
|
- Assumes member role
- Can only view/access personal experiments
- No access to other users' experiments and models
|
- Assumes custom role (segregated)
- Must explicitly define own role when creating DAGs to keep private; otherwise,
DAGs are shared
|
- Assumes customized Alpha role with added permissions to create database
connections
- Must explicitly define own role when creating DAGs to keep private; otherwise,
DAGs are shared
- Can view all dashboards and create charts based on all dashboards.
- Cannot edit the dashboards
|
- N/A (no role hierarchy in Spark; similar to Kubeflow)
- Can only view/access personal Spark jobs
|
| Running in user namespace |
N/A |
Yes |
N/A |
Yes |
| User role propagation |
Yes |
Yes |
Yes |
N/A (no role hierarchy in Spark) |
| User deletion |
Objects remain untouched; only admins have access |
DAGs remain untouched; only admins have access |
Objects remain untouched; only admins have access |
Jobs are removed with the user namespace |
IMPORTANT
Do not modify user roles or permissions in the applications
that users access through
HPE Ezmeral Unified Analytics Software. Modifying roles or permissions directly in an application can break
the mapping between the
HPE Ezmeral Unified Analytics Software user role and application permission setting. For example, do not
assign an
HPE Ezmeral Unified Analytics Software
member the Admin role in the Superset application. If you want a user to have admin-level
permissions in Superset, add the admin role to the user directly in
HPE Ezmeral Unified Analytics Software. Changing a user’s
role to admin in
HPE Ezmeral Unified Analytics Software grants the user access to the Administration settings in
HPE Ezmeral Unified Analytics Software.
To
edit a user role, see Adding and Removing Users . The following topics describe user isolation in more detail for each of the applications that
curenntly support user isolation: