You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/hdinsight/hdinsight-migrate-granular-access-cluster-configurations.md
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.author: tyfox
6
6
ms.reviewer: jasonh
7
7
ms.service: hdinsight
8
8
ms.topic: conceptual
9
-
ms.date: 06/03/2019
9
+
ms.date: 08/09/2019
10
10
---
11
11
12
12
# Migrate to granular role-based access for cluster configurations
@@ -17,9 +17,9 @@ We are introducing some important changes to support more fine-grained role-base
17
17
18
18
Previously, secrets could be obtained via the HDInsight API by cluster users
19
19
possessing the Owner, Contributor, or Reader [RBAC
20
-
roles](https://docs.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles), as they were available to anyone with the `*/read` permission.
21
-
Going forward, accessing these secrets will require the `Microsoft.HDInsight/clusters/configurations/*` permission, meaning they can no longer be accessed by users with the
22
-
Reader role. Secrets are defined as values that could be used to obtain more elevated access than a user's role should allow. These include values such as cluster gateway HTTP credentials, storage account keys, and database credentials.
20
+
roles](https://docs.microsoft.com/azure/role-based-access-control/rbac-and-directory-admin-roles), as they were available to anyone with the `*/read` permission. Secrets are defined as values that could be used to obtain more elevated access than a user's role should allow. These include values such as cluster gateway HTTP credentials, storage account keys, and database credentials.
21
+
22
+
Going forward, accessing these secrets will require the `Microsoft.HDInsight/clusters/configurations/action` permission, meaning they can no longer be accessed by users with the Reader role. The roles that have this permission are Contributor, Owner, and the new HDInsight Cluster Operator role (more on that below).
23
23
24
24
We are also introducing a new [HDInsight Cluster Operator](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#hdinsight-cluster-operator) role
25
25
that will be able to retrieve secrets without being granted the administrative
@@ -204,4 +204,4 @@ The `GET /configurations` and `POST /configurations/gateway` will no longer retu
204
204
205
205
If you are using an older version of one of the tools for Visual Studio, VSCode, IntelliJ or Eclipse mentioned above, they will no longer function until you update.
206
206
207
-
For more detailed information, see the corresponding section of this document for your scenario.
207
+
For more detailed information, see the corresponding section of this document for your scenario.
0 commit comments