XmlUserManager
The XmlUserManager is the default UserManager that is built into Azkaban. To explicitly set the parameters that configure the XmlUserManager, the following parameters can be set in the azkaban.properties file.
| {.parameter}Parameter | {.default}Default | |
|---|---|---|
| user.manager.class | azkaban.user.XmlUserManager | | |
| user.manager.xml.file | azkaban-users.xml | |
{.params}
The other file that needs to be modified is the azkaban-users.xml file. The XmlUserManager will parse the user xml file once during startup to set up the users.
Everything must be enclosed in a azkaban-users tag.
<azkaban-users>
...
</azkaban-users>
Users
To add users, add the user tag.
<azkaban-users> <user username="myusername" password="mypassword" roles="a" groups="mygroup" / > <user username="myusername2" password="mypassword2" roles="a, b" groups="ga, gb" / > ... </azkaban-users>
| {.parameter}Attributes | {.default}Values | {.default}Required? | |
|---|---|---|---|
| username | The login username. | yes | | |
| password | The login password. | yes | | |
| roles | Comma delimited list of roles that this user has. | no | | |
| groups | Comma delimited list of groups that the users belongs to. | no | | |
| proxy | Comma delimited list of proxy users that this users can give to a project | no | |
{.params}
Groups
To define each group, you can add the group tag.
<azkaban-users> <user username="a" ... groups="groupa" / > ... <group name="groupa" roles="myrole" / > ... </azkaban-users>
In the previous example, user 'a' is in the group 'groupa'. User 'a' would also have the 'myrole' role. A regular user cannot add group permissions to a project unless they are members of that group.
The following are some group attributes that you can assign.
| {.parameter}Attributes | {.default}Values | {.default}Required? | |
|---|---|---|---|
| name | The group name | yes | | |
| roles | Comma delimited list of roles that this user has. | no | |
{.params}
Roles
Roles are different in that it assigns global permissions to users in Azkaban. You can set up roles with the roles tag.
<azkaban-users> <user username="a" ... groups="groupa" roles="readall" / > <user username="b" ... / > ... <group name="groupa" roles="admin" / > ... <role name="admin" permissions="ADMIN" / > <role name="readall" permissions="READ" / > </azkaban-users>
In the above example, user 'a' has the role 'readall', which is defined as having the READ permission. This means that user 'a' has global READ access on all the projects and executions. User 'a' also is in 'groupa', which has the role ADMIN. It's certainly redundant, but user 'a' is also granted the ADMIN role on all projects.
The following are some group attributes that you can assign.
| {.parameter}Attributes | {.default}Values | {.default}Required? | |
|---|---|---|---|
| name | The group name | yes | | |
| permissions | Comma delimited list global permissions for the role | yes | |
{.params}
The possible role permissions are the following:
| {.parameter}Permissions | {.default}Values | |
|---|---|---|
| ADMIN | Grants all access to everything in Azkaban. | | |
| READ | Gives users read only access to every project and their logs | | |
| WRITE | Allows users to upload files, change job properties or remove any project | | |
| EXECUTE | Allows users to trigger the execution of any flow | | |
| SCHEDULE | Users can add or remove schedules for any flows | | |
| CREATEPROJECTS | Allows users to create new projects if project creation is locked down | |
{.params}