我的测试配置:
<azkaban-users>
<user groups="azkaban" password="azkaban" roles="admin" username="azkaban"/>
<user password="metrics" roles="metrics" username="metrics"/>
<user groups="data_shuju" password="123456" roles="data_shuju" username="data_shuju"/>
<role name="data_shuju" permissions="READ,EXECUTE"/>
<user username="wangye" password="123456" groups="data_shuju"/>
<user username="changshichao" password="123456" groups="group_read_execute"/>
<group name="group_user" roles="user"/>
<group name="group_read_execute" roles="ree"/>
<role name="ree" permissions="READ,EXECUTE"/>
<role name="wangye" permissions="READ,EXECUTE"/>
<role name="admin" permissions="ADMIN"/>
<role name="metrics" permissions="METRICS"/>
</azkaban-users>azkaban的权限分两种
1,单个用户
<user password="metrics" roles="metrics" username="metrics"/> 用户
<role name="metrics" permissions="METRICS"/> 用户的权限2,用户组设置用户组后再该用户组的所有用户都有该组的权限
<user username="changshichao" password="123456" groups="group_read_execute"/>在用户组添加用户
<group name="group_read_execute" roles="ree"/>设置用户组
<role name="ree" permissions="READ,EXECUTE"/> 读权限和执行flow权限官网原文(https://azkaban.github.io/azkaban/docs/latest/#user-manager)
XmlUserManager
The XmlUserManager is the default UserManager that is built into Azkaban. To explicitly set the parameters that configure the XmlUserManager, the following parameters can be set in the azkaban.properties file.
| Parameter | Default |
|---|---|
| user.manager.class | azkaban.user.XmlUserManager |
| user.manager.xml.file | azkaban-users.xml |
The other file that needs to be modified is the azkaban-users.xml file. The XmlUserManager will parse the user xml file once during startup to set up the users.
Everything must be enclosed in a <azkaban-users> tag.
<azkaban-users> ... </azkaban-users>
Users
To add users, add the <user> tag.
<azkaban-users> <user username="myusername" password="mypassword" roles="a" groups="mygroup" / > <user username="myusername2" password="mypassword2" roles="a, b" groups="ga, gb" / > ... </azkaban-users>
| Attributes | Values | Required? |
|---|---|---|
| username | The login username. | yes |
| password | The login password. | yes |
| roles | Comma delimited list of roles that this user has. | no |
| groups | Comma delimited list of groups that the users belongs to. | no |
| proxy | Comma delimited list of proxy users that this users can give to a project | no |
Groups
To define each group, you can add the <group> tag.
<azkaban-users> <user username="a" ... groups="groupa" / > ... <group name="groupa" roles="myrole" / > ... </azkaban-users>
In the previous example, user 'a' is in the group 'groupa'. User 'a' would also have the 'myrole' role. A regular user cannot add group permissions to a project unless they are members of that group.
The following are some group attributes that you can assign.
| Attributes | Values | Required? |
|---|---|---|
| name | The group name | yes |
| roles | Comma delimited list of roles that this user has. | no |
Roles
Roles are different in that it assigns global permissions to users in Azkaban. You can set up roles with the <roles> tag.
<azkaban-users> <user username="a" ... groups="groupa" roles="readall" / > <user username="b" ... / > ... <group name="groupa" roles="admin" / > ... <role name="admin" permissions="ADMIN" / > <role name="readall" permissions="READ" / > </azkaban-users>
In the above example, user 'a' has the role 'readall', which is defined as having the READ permission. This means that user 'a' has global READ access on all the projects and executions.
User 'a' also is in 'groupa', which has the role ADMIN. It's certainly redundant, but user 'a' is also granted the ADMIN role on all projects.
The following are some group attributes that you can assign.
| Attributes | Values | Required? |
|---|---|---|
| name | The group name | yes |
| permissions | Comma delimited list global permissions for the role | yes |
The possible role permissions are the following:
| Permissions | Values |
|---|---|
| ADMIN | Grants all access to everything in Azkaban. |
| READ | Gives users read only access to every project and their logs |
| WRITE | Allows users to upload files, change job properties or remove any project |
| EXECUTE | Allows users to trigger the execution of any flow |
| SCHEDULE | Users can add or remove schedules for any flows |
| CREATEPROJECTS | Allows users to create new projects if project creation is locked down |