Infrastructure access

Controlling access to the engines and other components is a critical requirement for many enterprises. To ensure that the resource usage is under control, IBM® watsonx.data provides the ability to manage access controls on these resources. A user with admin privileges on the resources can grant access to other users.

watsonx.data on Red Hat® OpenShift®

watsonx.data Developer edition

All users have access to the default iceberg-storage and hive-storage MinIO buckets, and default iceberg_data and hive_data Presto catalogs. An admin must grant explicit privileges to users who need access to the presto-01 engine.

The access control at the infrastructural level allows administrators to grant specific access to the wxd components—engines, catalogs, buckets, and databases.

  • IBM watsonx.data users from CPD cluster must have admin role to activate their storage.
  • IBM watsonx.data users with manager role on the engine can register their own storage but cannot activate the storage. They must contact the admin to activate their storage.
  • Data access by using Presto engines is controlled by catalog roles (controlling the admin and user role privileges). The watsonx.data roles are mapped to their roles in the platform (IBM Cloud IAM roles or CPD instance roles). watsonx.data developer edition has its own user management to manage roles.
  • Data ingestion by using Spark engines are controlled by storage roles.
  • The catalog user role can access data only if the user is the data owner (that is, the creator of the schema or table) or has specific permissions such as select, insert through data policies.

Instance and install

Default admin access
Instance admins (CPD) and Install admins (Dev) are the default administrators.
Default user access

Instance non-admins (CPD) and install non-admins (Dev) are the default users.

The following table explains the allowed actions for each role.

Table 1. Role-based access and privileges for instance and install
Action Admin User Metastore Access
Create Presto (Java) or Presto (C++) engines    
Register Spark engines    
Create Milvus services    
Delete Milvus services    
View Milvus services    
Restart the internal HMS    
Scale Presto (Java) or Presto (C++) engines    
Unregister any storage    
Unregister any DB Connection    
Activate cataloged buckets (restart HMS)    
Register and unregister own storage
Register and unregister own DB connection
Access the metastore  

Engines

An admin must grant explicit privileges to users who need access to an engine. The following tables explain the permitted actions for each role.

Presto (Java) or Presto (C++)
Default admin access
Instance admins (CPD) and Install admins (Dev) are the default administrators.
The following table explains the allowed actions for each role.
Table 2. Role-based access and privileges for Presto (Java) or Presto (C++) engine
Action Admin Manager User Users without an explicit role
Delete      
Grant and revoke access      
Pause and resume    
Restart    
Associate and disassociate catalog    
Access the Presto (Java) or Presto (C++) query monitor UI    
View the engine  
Run workloads against the engine  
External Spark
Default admin access
Instance admins (CPD) and Install admins (Dev) are the default administrators.
The following table explains the allowed actions for each role.
Table 3. Role-based access and privileges for External Spark engine
Action Admin Manager User Users without an explicit role
Delete      
Grant and revoke access      
Update Spark engine metadata (like tags and description)    
View the engine  
Run workloads against the engine  
Co-located Spark (deprecated)

Role-based access control (RBAC) is based on zen service instance roles on Spark IAE instances.

Default admin access
Instance admins (CPD) and Install admins (Dev) are the default administrators.

Services

Milvus
Default admin access
Instance admins (CPD) and Install admins (Dev) are the default administrators.
The following table explains the allowed actions for each role.
Table 4. Role-based access and privileges for Milvus
Action Admin Editor Viewer User Database creator (implicit role) Collection creator (implicit role) Partition creator (implicit role)
View assigned Milvus service      
Delete assigned Milvus service            
Grant access to assigned Milvus service            
Revoke access from assigned Milvus service            
Pause Milvus service            
Resume Milvus service            
Collection CreateIndex      
Collection DropIndex      
Global CreateCollection        
Global DescribeCollection    
Global ShowCollections      
Global CreateAlias        
Global DropAlias        
Global DescribeAlias      
Global ListAliases    
Global FlushAll          
Global CreateResourceGroup            
Global DropResourceGroup            
Global DescribeResourceGroup            
Global ListResourceGroups            
Global TransferNode            
Global TransferReplica            
Global CreateDatabase          
Global DropDatabase        
Global ListDatabases        
Collection IndexDetail    
Collection Search  
Collection Query  
Collection Load    
Collection GetLoadingProgress      
Collection GetLoadState      
Collection Release    
Collection RenameCollection      
Collection DropCollection      
Collection Insert    
Collection Delete    
Collection Flush      
Collection GetFlushState      
Collection Upsert    
Collection GetStatistics      
Collection Compaction      
Collection Import      
Collection LoadBalance      
Collection CreatePartition      
Collection DropPartition    
Collection ShowPartitions    
Collection HasPartition  

storage

Default admin access
Instance admins (CPD) and Install admins (Dev) are the default administrators.

All users can add their own storage and have admin access to it. Other users do not have access until they are granted explicit access. The following table explains the allowed actions for each role.

Table 5. Role-based access and privileges for storage
Action Admin Writer Reader Users without an explicit role
Unregister      
Update storage properties (credentials)      
Grant and revoke access      
Modify files    
Browse (storage browser in UI)  
View the storage
S3 REST API permissions (specific to IBM Spark and DAS)
Users can get a relative storage role for all subfolders and files in a storage or can be granted file action for particular folders or files. The following tables explain the storage-level and data-object-level S3 REST API permissions.
Note: The following tables are applicable only if you are using IBM Spark that by default uses a DAS signature or if you are using DAS proxy.
Storage-level access control
To assign storage-level access, go to Access control > Infrastructure or go to Infrastructure manger > select storage and assign roles.
Table 6. Storage-level access control
Storage role S3 REST API permission
Reader GET; HEAD
Writer GET; HEAD; PUT; POST; PATCH; DELETE
Admin GET; HEAD; PUT; POST; PATCH; DELETE
Data-object-level access control
To assign data-object-level access control, go to Access control > Policies.
Table 7. Data-object-level access control
Data object action S3 REST API permission
Read GET; HEAD
Write GET; HEAD; PUT; PATCH; POST without ?delete parameter
Delete DELETE; POST with ?delete parameter

Database

Default admin access (only if creator)
Instance admins (CPD) and Install admins (Dev) are the default administrators.

All users can add their own database and have admin access to it. Other users do not have access until they are granted explicit access. The following table explains the allowed actions for each role.

Table 8. Role-based access and privileges for database
Action Admin Writer Reader Users without an explicit role
Unregister      
Update db conn properties (credentials)      
Grant and revoke access      
Modify database objects    
View the database

Catalog

Every storage or a database must have a catalog that is associated with it. Admin of the storage or database is the admin of the associated catalog. Other users do not have access until they are granted explicit access.

Default admin access (based on access data control policies defined in watsonx.data by admin)
Instance admins (CPD) and Install admins (Dev) are the default administrators.
Default user access (based on access data control policies defined in watsonx.data by admin)
Instance non-admins (CPD) and install non-admins (Dev) are the default users.

The following table explains the allowed actions for each role.

Table 9. Role-based access and privileges for catalog
Action Admin User Users without an explicit role
Delete    
Grant and revoke access    
Access to data Based on data policy  
View the catalog  
Note: If you want to delete a catalog, you must first dissociate the catalog from the engine.

Schema

Default admin access (based on access data control policies defined in watsonx.data by admin)
Instance admins (CPD) and Install admins (Dev) are the default administrators.
Default user access (based on access data control policies defined in watsonx.data by admin)
Instance non-admins (CPD) and install non-admins (Dev) are the default users.
Action Catalog Admin or schema creator Others
Grant and revoke access  
Drop  
Access based on access data control policies defined in watsonx.data by admin
Create table based on access data control policies defined in watsonx.data by admin

Table

Default admin access (based on access data control policies defined in watsonx.data by admin)
Instance admins (CPD) and Install admins (Dev) are the default administrators.
Default user access (based on access data control policies defined in watsonx.data by admin)
Instance non-admins (CPD) and install non-admins (Dev) are the default users.
Action Catalog Admin or schema admin or table creator Others
Create, drop, and alter based on access data control policies defined in watsonx.data by admin
Column access based on access data control policies defined in watsonx.data by admin
Select based on access data control policies defined in watsonx.data by admin
Insert based on access data control policies defined in watsonx.data by admin
Update based on access data control policies defined in watsonx.data by admin
Delete based on access data control policies defined in watsonx.data by admin