Access management in Managed Service for Apache Airflow™
In this section, you will learn:
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Which resources you can assign a role for
As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.
To allow access to Managed Service for Apache Airflow™ service resources, assign the user the appropriate roles for the folder or cloud hosting the resources.
Which roles exist in the service
Service roles
Below is a list of all roles that are used to verify access rights in the service.
managed-airflow.viewer
The managed-airflow.viewer
role allows you to view information about the Apache Airflow™ clusters.
managed-airflow.editor
The managed-airflow.editor
role allows you to manage the Apache Airflow™ clusters, as well as get information about quotas and service resource operations.
Users with this role can:
- View information about the Apache Airflow™ clusters, as well as create, modify, and delete them.
- Use the web interface to access the Apache Airflow™ components.
This role also includes the managed-airflow.viewer
permissions.
To create Apache Airflow™ clusters, you also need the vpc.user
role.
managed-airflow.admin
The managed-airflow.admin
role allows you to manage the Apache Airflow™ clusters and get information about quotas and service resource operations.
Users with this role can:
- Manage access to the Apache Airflow™ clusters.
- View information about the Apache Airflow™ clusters, as well as create, modify, and delete them.
- Use the web interface to access the Apache Airflow™ components.
This role also includes the managed-airflow.editor
permissions.
To create Apache Airflow™ clusters, you also need the vpc.user
role.
Primitive roles
viewer
The viewer
role enables you to view information about Managed Service for Apache Airflow™ clusters and their runtime logs.
editor
Users with the editor
role can manage any resource, e.g., create clusters and create and delete their subclusters.
This role includes the viewer
role.
admin
Users with the admin
role can manage resource access rights, e.g., allow other users to create Managed Service for Apache Airflow™ clusters and to view information about user rights.
This role includes the editor
role.