title | description | ms.service | ms.topic | ms.date |
---|---|---|---|---|
Manage cluster access |
How to manage cluster access in HDInsight on AKS |
hdinsight-aks |
how-to |
08/4/2023 |
[!INCLUDE feature-in-preview]
This article provides an overview of the mechanisms available to manage access for HDInsight on AKS cluster pools and clusters. It also covers how to assign permission to users, groups, user-assigned managed identity, and service principals to enable access to cluster data plane.
When a user creates a cluster, then that user is authorized to perform the operations with data accessible to the cluster. However, to allow other users to execute queries and jobs on the cluster, access to cluster data plane is required.
The following HDInsight on AKS and Azure built-in roles are available for cluster management to manage the cluster pool or cluster resources.
Role | Description |
---|---|
Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. |
Contributor | Grants full access to manage all resources but doesn't allow you to assign roles in Azure RBAC. |
Reader | View all resources but doesn't allow you to make any changes. |
HDInsight on AKS Cluster Pool Admin | Grants full access to manage a cluster pool including ability to delete the cluster pool. |
HDInsight on AKS Cluster Admin | Grants full access to manage a cluster including ability to delete the cluster. |
You can use Access control (IAM) blade to manage the access for cluster pool’s and control plane.
Refer: Grant a user access to Azure resources using the Azure portal - Azure RBAC.
This access enables you to do the following actions:
- View clusters and manage jobs.
- All the monitoring and management operations.
- To enable auto scale and update the node count.
The access is restricted for:
- Cluster deletion.
To assign permission to users, groups, user-assigned managed identity, and service principals to enable access to cluster’s data plane, the following options are available:
The following steps describe how to provide access to other users, groups, user-assigned managed identity, and service principals.
-
Navigate to the Cluster access blade of your cluster in the Azure portal and click Add.
:::image type="content" source="./media/hdinsight-on-aks-manage-authorization-profile/cluster-access.png" alt-text="Screenshot showing how to provide access to a user for cluster access.":::
-
Search for the user/group/user-assigned managed identity/service principal to grant access and click Add.
:::image type="content" source="./media/hdinsight-on-aks-manage-authorization-profile/add-members.png" alt-text="Screenshot showing how to add member for cluster access.":::
-
Select the members to be removed and click Remove.
:::image type="content" source="./media/hdinsight-on-aks-manage-authorization-profile/remove-access.png" alt-text="Screenshot showing how to remove cluster access for a member.":::
- An operational HDInsight on AKS cluster.
- ARM template for your cluster.
- Familiarity with ARM template authoring and deployment.
Follow the steps to update authorizationProfile
object under clusterProfile
section in your cluster ARM template.
-
In the Azure portal search bar, search for user/group/user-assigned managed identity/service principal.
:::image type="content" source="./media/hdinsight-on-aks-manage-authorization-profile/search-object-id.png" alt-text="Screenshot showing how to search object ID.":::
-
Copy the Object ID or Principal ID.
:::image type="content" source="./media/hdinsight-on-aks-manage-authorization-profile/view-object-id.png" alt-text="Screenshot showing how to view object ID.":::
-
Modify the
authorizationProfile
section in your cluster ARM template.-
Add user/user-assigned managed identity/service principal Object ID or Principal ID under
userIds
property. -
Add groups Object ID under
groupIds
property."authorizationProfile": { "userIds": [ "abcde-12345-fghij-67890", "a1b1c1-12345-abcdefgh-12345" ], "groupIds": [] },
-
-
Deploy the updated ARM template to reflect the changes in your cluster. Learn how to deploy an ARM template.