Infrastructure access
watsonx.data on Red Hat® OpenShift®
watsonx.data Developer edition
All users have access to the default iceberg-storage and hive-storage MinIO buckets, and default iceberg_data and hive_data Presto catalogs. An admin must grant explicit privileges to users who need access to the presto-01 engine.
The access control at the infrastructural level allows administrators to grant specific access to the wxd components—engines, catalogs, buckets, and databases.
- IBM
watsonx.data users from CPD cluster must
have
admin
role to activate their storage. - IBM
watsonx.data users with
manager
role on the engine can register their own storage but cannot activate the storage. They must contact theadmin
to activate their storage. - Data access by using Presto engines is controlled by catalog roles (controlling the admin and user role privileges). The watsonx.data roles are mapped to their roles in the platform (IBM Cloud IAM roles or CPD instance roles). watsonx.data developer edition has its own user management to manage roles.
- Data ingestion by using Spark engines are controlled by storage roles.
- The catalog user role can access data only if the user is the data owner (that is, the creator of the schema or table) or has specific permissions such as select, insert through data policies.
Instance and install
- Default admin access
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
- Default user access
-
Instance non-admins (CPD) and install non-admins (Dev) are the default users.
The following table explains the allowed actions for each role.
Action | Admin | User | Metastore Access |
---|---|---|---|
Create Presto (Java) or Presto (C++) engines | ✓ | ||
Register Spark engines | ✓ | ||
Create Milvus services | ✓ | ||
Delete Milvus services | ✓ | ||
View Milvus services | ✓ | ||
Restart the internal HMS | ✓ | ||
Scale Presto (Java) or Presto (C++) engines | ✓ | ||
Unregister any storage | ✓ | ||
Unregister any DB Connection | ✓ | ||
Activate cataloged buckets (restart HMS) | ✓ | ||
Register and unregister own storage | ✓ | ✓ | ✓ |
Register and unregister own DB connection | ✓ | ✓ | ✓ |
Access the metastore | ✓ | ✓ |
Engines
An admin must grant explicit privileges to users who need access to an engine. The following tables explain the permitted actions for each role.
- Presto (Java) or Presto (C++)
- Default admin access
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
Table 2. Role-based access and privileges for Presto (Java) or Presto (C++) engine Action Admin Manager User Users without an explicit role Delete ✓ Grant and revoke access ✓ Pause and resume ✓ ✓ Restart ✓ ✓ Associate and disassociate catalog ✓ ✓ Access the Presto (Java) or Presto (C++) query monitor UI ✓ ✓ View the engine ✓ ✓ ✓ Run workloads against the engine ✓ ✓ ✓ - External Spark
- Default admin access
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
Table 3. Role-based access and privileges for External Spark engine Action Admin Manager User Users without an explicit role Delete ✓ Grant and revoke access ✓ Update Spark engine metadata (like tags and description) ✓ ✓ View the engine ✓ ✓ ✓ Run workloads against the engine ✓ ✓ ✓ - Co-located Spark (deprecated)
-
Role-based access control (RBAC) is based on zen service instance roles on Spark IAE instances.
- Default admin access
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
Services
- Milvus
- Default admin access
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
Table 4. Role-based access and privileges for Milvus Action Admin Editor Viewer User Database creator (implicit role) Collection creator (implicit role) Partition creator (implicit role) View assigned Milvus service ✓ ✓ ✓ ✓ Delete assigned Milvus service ✓ Grant access to assigned Milvus service ✓ Revoke access from assigned Milvus service ✓ Pause Milvus service ✓ Resume Milvus service ✓ Collection CreateIndex
✓ ✓ ✓ ✓ Collection DropIndex
✓ ✓ ✓ ✓ Global CreateCollection
✓ ✓ ✓ Global DescribeCollection
✓ ✓ ✓ ✓ ✓ Global ShowCollections
✓ ✓ ✓ ✓ Global CreateAlias
✓ ✓ ✓ Global DropAlias
✓ ✓ ✓ Global DescribeAlias
✓ ✓ ✓ ✓ Global ListAliases
✓ ✓ ✓ ✓ ✓ Global FlushAll
✓ ✓ Global CreateResourceGroup
✓ Global DropResourceGroup
✓ Global DescribeResourceGroup
✓ Global ListResourceGroups
✓ Global TransferNode
✓ Global TransferReplica
✓ Global CreateDatabase
✓ ✓ Global DropDatabase
✓ ✓ ✓ Global ListDatabases
✓ ✓ ✓ Collection IndexDetail
✓ ✓ ✓ ✓ ✓ Collection Search
✓ ✓ ✓ ✓ ✓ ✓ Collection Query
✓ ✓ ✓ ✓ ✓ ✓ Collection Load
✓ ✓ ✓ ✓ ✓ Collection GetLoadingProgress
✓ ✓ ✓ ✓ Collection GetLoadState
✓ ✓ ✓ ✓ Collection Release
✓ ✓ ✓ ✓ ✓ Collection RenameCollection
✓ ✓ ✓ ✓ Collection DropCollection
✓ ✓ ✓ ✓ Collection Insert
✓ ✓ ✓ ✓ ✓ Collection Delete
✓ ✓ ✓ ✓ ✓ Collection Flush
✓ ✓ ✓ ✓ Collection GetFlushState
✓ ✓ ✓ ✓ Collection Upsert
✓ ✓ ✓ ✓ ✓ Collection GetStatistics
✓ ✓ ✓ ✓ Collection Compaction
✓ ✓ ✓ ✓ Collection Import
✓ ✓ ✓ ✓ Collection LoadBalance
✓ ✓ ✓ ✓ Collection CreatePartition
✓ ✓ ✓ ✓ Collection DropPartition
✓ ✓ ✓ ✓ ✓ Collection ShowPartitions
✓ ✓ ✓ ✓ ✓ Collection HasPartition
✓ ✓ ✓ ✓ ✓ ✓
storage
- Default admin access
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
All users can add their own storage and have admin access to it. Other users do not have access until they are granted explicit access. The following table explains the allowed actions for each role.
Action | Admin | Writer | Reader | Users without an explicit role |
---|---|---|---|---|
Unregister | ✓ | |||
Update storage properties (credentials) | ✓ | |||
Grant and revoke access | ✓ | |||
Modify files | ✓ | ✓ | ||
Browse (storage browser in UI) | ✓ | ✓ | ✓ | |
View the storage | ✓ | ✓ | ✓ | ✓ |
- S3 REST API permissions (specific to IBM Spark and DAS)
-
Users can get a relative storage role for all subfolders and files in a storage or can be granted file action for particular folders or files. The following tables explain the storage-level and data-object-level S3 REST API permissions.Note: The following tables are applicable only if you are using IBM Spark that by default uses a DAS signature or if you are using DAS proxy.
- Storage-level access control
- To assign storage-level access, go to Access control >
Infrastructure or go to Infrastructure manger > select
storage and assign roles.
Table 6. Storage-level access control Storage role S3 REST API permission Reader GET; HEAD Writer GET; HEAD; PUT; POST; PATCH; DELETE Admin GET; HEAD; PUT; POST; PATCH; DELETE - Data-object-level access control
- To assign data-object-level access control, go to Access control >
Policies.
Table 7. Data-object-level access control Data object action S3 REST API permission Read GET; HEAD Write GET; HEAD; PUT; PATCH; POST without ?delete
parameterDelete DELETE; POST with ?delete
parameter
Database
- Default admin access (only if creator)
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
All users can add their own database and have admin access to it. Other users do not have access until they are granted explicit access. The following table explains the allowed actions for each role.
Action | Admin | Writer | Reader | Users without an explicit role |
---|---|---|---|---|
Unregister | ✓ | |||
Update db conn properties (credentials) |
✓ | |||
Grant and revoke access | ✓ | |||
Modify database objects | ✓ | ✓ | ||
View the database | ✓ | ✓ | ✓ | ✓ |
Catalog
Every storage or a database must have a catalog that is associated with it. Admin of the storage or database is the admin of the associated catalog. Other users do not have access until they are granted explicit access.
- Default admin access (based on access data control policies defined in watsonx.data by admin)
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
- Default user access (based on access data control policies defined in watsonx.data by admin)
- Instance non-admins (CPD) and install non-admins (Dev) are the default users.
The following table explains the allowed actions for each role.
Action | Admin | User | Users without an explicit role |
---|---|---|---|
Delete | ✓ | ||
Grant and revoke access | ✓ | ||
Access to data | ✓ | Based on data policy | |
View the catalog | ✓ | ✓ |
Schema
- Default admin access (based on access data control policies defined in watsonx.data by admin)
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
- Default user access (based on access data control policies defined in watsonx.data by admin)
- Instance non-admins (CPD) and install non-admins (Dev) are the default users.
Action | Catalog Admin or schema creator | Others |
---|---|---|
Grant and revoke access | ✓ | |
Drop | ✓ | |
Access | ✓ | based on access data control policies defined in watsonx.data by admin |
Create table | ✓ | based on access data control policies defined in watsonx.data by admin |
Table
- Default admin access (based on access data control policies defined in watsonx.data by admin)
- Instance admins (CPD) and Install admins (Dev) are the default administrators.
- Default user access (based on access data control policies defined in watsonx.data by admin)
- Instance non-admins (CPD) and install non-admins (Dev) are the default users.
Action | Catalog Admin or schema admin or table creator | Others |
---|---|---|
Create, drop, and alter | ✓ | based on access data control policies defined in watsonx.data by admin |
Column access | ✓ | based on access data control policies defined in watsonx.data by admin |
Select | ✓ | based on access data control policies defined in watsonx.data by admin |
Insert | ✓ | based on access data control policies defined in watsonx.data by admin |
Update | ✓ | based on access data control policies defined in watsonx.data by admin |
Delete | ✓ | based on access data control policies defined in watsonx.data by admin |