Set Object Policy for a Notebook
You can set a policy for an individual object and restrict users or groups from accessing the object. This overrides the access granted to the object at the account-level in the Control Panel. For more information, see Managing Roles.
- PUT /api/v1.2/object_policy/policy
Use this API to set an object policy. Qubole supports object policy API on notebooks, clusters, and scheduler. This section describes setting an object policy for a notebook.
Managing Notebook Permissions describes how to control access for each notebook.
Note
If you a allow a user with a permission who is part of the group that has restricted access, then that user is allowed access and vice versa.
Required Role
The following users can make this API call:
Users who belong to the system-admin group or owner of the object.
Users who belong to a group associated with a role that allows setting an object policy. See Managing Groups and Managing Roles for more information.
Parameters
Note
Parameters marked in bold are mandatory. Others are optional and have default values.
Parameter |
Description |
---|---|
source_id |
It specifies the ID of the object based on the |
source_type |
It specifies the object. It must be a |
policy |
Array of policies to be assigned to a notebook. Each policy include following parameters: Note Escape the values of policy elements and corresponding values except the user ID value and group ID value.
|
Request API Syntax
curl -X PUT -H "X-AUTH-TOKEN: <API-TOKEN>" -H "Content-Type: application/json" -H "Accept: application/json" \
-d '{"source_id":"<Object_ID>", "source_type": "<Object>",
"policy": "[{\"access\":\"<Access>\",\"condition\":{\"qbol_users\":[<User ID>]},\"action\":[\"<Actions>\"]},
{\"access\":\"<Access>\",\"condition\":{\"qbol_groups\":[<Group ID>]},\"action\":[\"<Actions>\"]},
{\"access\":\"<Access>\",\"condition\":{\"qbol_users\":[<User ID>],\"qbol_groups\":[<Group ID>]},\"action\":[\"<Actions>\"]}]"}' \
"https://api.qubole.com/api/v1.2/object_policy/policy"
Note
The above syntax uses https://api.qubole.com as the endpoint. Qubole provides other endpoints to access QDS that are described in Supported Qubole Endpoints on Different Cloud Providers.
Sample API Request
Here is a sample API call to set an object policy for a notebook with its ID as 250.
curl -X PUT -H "X-AUTH-TOKEN: <API-TOKEN>" -H "Content-Type: application/json" -H "Accept: application/json" \
-d '{"source_id":"250", "source_type": "note",
"policy": "[{\"access\":\"allow\",\"condition\":{\"qbol_users\":[1715]},\"action\":[\"read\"]},
{\"access\":\"allow\",\"condition\":{\"qbol_groups\":[2352]},\"action\":[\"read\",\"update\"]},
{\"access\":\"deny\",\"condition\":{\"qbol_users\":[1715],\"qbol_groups\":[2352]},\"action\":[\"all\"]}]"}` \
"https://api.qubole.com/api/v1.2/object_policy/policy"
Note
It is recommended to have a deny all
action to the list of users and groups as it would be in tandem with the
UI managing permissions of notebooks.
In the above example, the last condition meets that requirement.
{\"access\":\"deny\",\"condition\":{\"qbol_users\":[1715],\"qbol_groups\":[2352]},\"action\":[\"all\"]}