Set Object Policy for a Package Management Environment on Microsoft Azure

You can set a policy for an individual object and restrict users or groups from accessing the object. This overrides the access granted to the object at the account-level in the Control Panel. For more information, see Managing Roles.

PUT /api/v1.2/object_policy/policy

Use this API to set an object policy. Qubole supports object policy API on notebooks, clusters, and scheduler, and environment. This section describes setting an object policy for a Package Management environment.

Managing Permissions of an Environment describes how to control access for each .

Note

If you allow a user with a permission who is part of the group that has restricted access, then that user is allowed access and vice versa.

Required Role

The following users can make this API call:

  • Users who belong to the system-admin group or owner of the object.

  • Users who belong to a group associated with a role that allows setting an object policy. See Managing Groups and Managing Roles for more information.

Parameters

Note

Parameters marked in bold are mandatory. Others are optional and have default values.

Parameter

Description

source_id

It specifies the ID of the object based on the source_type.

source_type

It specifies the object. It must be the environment for a Package Management Environment.

policy

Array of policies to be assigned to a Package Management environment. Each policy include following parameters:

Note

Escape the values of policy elements and corresponding values except the user ID value and group ID value.

  • action: Name of the action with particular resource. The actions can be read, update, delete, manage, or all. The actions imply as given below:

    • read: This action is set to allow/deny a user/group to view the object.

    • update: This action is set to allow/deny a user/group to edit the object.

    • delete: This action is set to allow/deny a user/group to delete the object.

    • manage: This action allows the user/group to manage the object’s permissions.

    • all: This action is set to allow/deny a user/group to do read/edit/delete the object. It gets the lowest priority always. That is read, update, and delete actions get precedence over the all action.

  • access: It is set to allow or deny actions. Its value is either allow or deny.

  • condition: Array of user IDs and group IDs that have to be assigned with this policy:

    • qbol_users: An array of IDs of the user for whom this policy needs to be set. But these IDs are not similar to user IDs and create a ticket with Qubole Support to get the user IDs.

    • qbol_groups: An array of IDs of the groups for whom this policy needs to be set.

Request API Syntax

curl -X PUT -H "X-AUTH-TOKEN: <API-TOKEN>" -H "Content-Type: application/json" -H "Accept: application/json" \
-d '{"source_id":"<Object_ID>", "source_type": "<Object>",
      "policy": "[{\"access\":\"<Access>\",\"condition\":{\"qbol_users\":[<User ID>]},\"action\":[\"<Actions>\"]},
                 {\"access\":\"<Access>\",\"condition\":{\"qbol_groups\":[<Group ID>]},\"action\":[\"<Actions>\"]},
                 {\"access\":\"<Access>\",\"condition\":{\"qbol_users\":[<User ID>],\"qbol_groups\":[<Group ID>]},\"action\":[\"<Actions>\"]}]"}' \
"https://api.qubole.com/api/v1.2/object_policy/policy"

Note

The above syntax uses https://api.qubole.com as the endpoint. Qubole provides other endpoints to access QDS that are described in Supported Qubole Endpoints on Different Cloud Providers.

Sample API Request

Here is a sample API call to set an object policy for a Package Management environment with its ID as 20.

curl -X PUT -H "X-AUTH-TOKEN: <API-TOKEN>" -H "Content-Type: application/json" -H "Accept: application/json" \
-d '{"source_id":"20", "source_type": "environment",
      "policy": "[{\"access\":\"allow\",\"condition\":{\"qbol_users\":[1715]},\"action\":[\"read\"]},
                 {\"access\":\"allow\",\"condition\":{\"qbol_groups\":[2352]},\"action\":[\"read\",\"update\"]},
                 {\"access\":\"deny\",\"condition\":{\"qbol_users\":[1715],\"qbol_groups\":[2352]},\"action\":[\"all\"]}]"}` \
"https://api.qubole.com/api/v1.2/object_policy/policy"

Note

It is recommended to have a deny all action to the list of users and groups as it would be in tandem with the UI managing permissions of environments.

In the above example, the last condition meets that requirement.

{\"access\":\"deny\",\"condition\":{\"qbol_users\":[1715],\"qbol_groups\":[2352]},\"action\":[\"all\"]}