Access management in Managed Service for Apache Airflow™
In this section, you will learn:
Access management
Yandex Identity and Access Management checks all operations in Yandex Cloud. If an entity does not have required permissions, this service returns an error.
To grant permissions for a resource, assign the appropriate resource roles to an entity performing operations, such as a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.
Roles for a resource can be assigned by users who have the managed-airflow.admin role or one of the following roles for that resource:
adminresource-manager.adminorganization-manager.adminresource-manager.clouds.ownerorganization-manager.organizations.owner
Which resources you can assign a role for
You can assign a role to an organization, cloud, or folder. The roles assigned to organizations, clouds, and folders also apply to their nested resources.
To allow access to Managed Service for Apache Airflow™ resources, assign the user the appropriate roles for the folder, cloud, or organization containing these resources.
Which roles exist in the service
Service roles
Below is a list of all roles that are used to verify access rights in the service.
managed-airflow.auditor
The managed-airflow.auditor role allows you to view information about the Apache Airflow™ clusters.
managed-airflow.viewer
The managed-airflow.viewer role allows you to view information about the Apache Airflow™ clusters.
This role includes the managed-airflow.auditor permissions.
managed-airflow.user
The managed-airflow.user role enables performing basic operations on the Apache Airflow™ clusters.
Users with this role can:
- View info on the Apache Airflow™ clusters.
- Use the Apache Airflow™ web interface.
- Send requests to the Apache Airflow™ API.
This role includes the managed-airflow.viewer permissions.
managed-airflow.editor
The managed-airflow.editor role allows you to manage the Apache Airflow™ clusters, as well as get information about quotas and service resource operations.
Users with this role can:
- View information about the Apache Airflow™ clusters, as well as create, modify, and delete them.
- Use the Apache Airflow™ web interface.
- Send requests to the Apache Airflow™ API.
This role includes the managed-airflow.user permissions.
To create Apache Airflow™ clusters, you also need the vpc.user role.
managed-airflow.admin
The managed-airflow.admin role allows you to manage the Apache Airflow™ clusters and get information about quotas and service resource operations.
Users with this role can:
- Manage access to the Apache Airflow™ clusters.
- Use the Apache Airflow™ web interface.
- Send requests to the Apache Airflow™ API.
This role includes the managed-airflow.editor permissions.
To create Apache Airflow™ clusters, you also need the vpc.user role.
managed-airflow.integrationProvider
The managed-airflow.integrationProvider role allows the Apache Airflow™ cluster to work with user resources required for its operation on behalf of the service account. You can assign this role to a service account linked to the Apache Airflow™ cluster.
Service accounts with this role can:
- Add entries to log groups.
- View info on log groups.
- View info on log sinks.
- View info on granted access permissions for Cloud Logging resources.
- View info on log exports.
- View info on Monitoring metrics and their labels, as well as upload and download metrics.
- View the list of Monitoring dashboards and widgets and info on them, as well as create, modify, and delete them.
- View the Monitoring notification history.
- View the list of buckets and info on them, including their deployment region, versioning, encryption, CORS configuration, static website hosting configuration, HTTPS configuration, logging settings, granted access permissions, public access, and default storage class.
- View lists of objects in buckets and info on these objects, including object lifecycle configuration, granted access permissions for these objects, current multipart uploads, object versions with their metadata, and object locks (both with a retention period and legal hold).
- View bucket, object, and object version labels, as well as Object Storage statistics.
- View info on Yandex Lockbox secrets and granted access permissions for them.
- View details on Object Storage, Monitoring, and Yandex Lockbox quotas.
- View info on the relevant cloud and folder.
This role includes the logging.writer, monitoring.editor, storage.viewer, and lockbox.viewer permissions.
The role does not provide access to Yandex Lockbox secret contents. To grant the Apache Airflow™ cluster access to Yandex Lockbox secret contents, additionally assign the lockbox.payloadViewer role to the service account either for the relevant folder or for specific secrets.
Primitive roles
viewer
The viewer role enables you to view information about Managed Service for Apache Airflow™ clusters and their runtime logs.
editor
Users with the editor role can manage any resource, e.g., create clusters and create and delete their subclusters.
This role includes the viewer role.
admin
Users with the admin role can manage resource access rights, e.g., allow other users to create Managed Service for Apache Airflow™ clusters and to view information about user rights.
This role includes the editor role.
Roles required
To use the service, you need the managed-airflow.editor role or higher for the folder to house the new cluster. The managed-airflow.viewer role enables you only to view the list of clusters.
To create a Managed Service for Apache Airflow™ cluster, you need the vpc.user role and the managed-airflow.editor role or higher.
You can always assign a role with more permissions. For instance, you can assign managed-airflow.admin instead of managed-airflow.editor.