03-11-2019 03:27 AM
With Cloudera Manager 5.9.1 and api version v14 it was possible with readonly access to get the parcel information via the API e.g.
curl -su user:password -X GET servername/api/v14/clusters/cluster/parcels
After upgrading CDM to 5.14.2 and CDH to 5.13.3 the access to parcel info is restricted, running the same curl command with the readonly user now returns this error
"message" : "User not allowed to perform operation."
This parcel information is very important to keep multiple clusters aligned
After the upgrade role "Cluster administrator" or "Full administrator" is required to get the parcel info via the api
This is very inconvenient, is it possible to grant permissions on the api for specific endpoints to readonly users?
03-11-2019 06:27 AM
This change was made intentionally as read-only users are not supposed to view this information, but could do in the older version. It is not possible to grant dedicated permissions to specific read-only users, we suggest to create a dedicated user to be used by your script/tool so that you can at least track individual access in the audit logs.
What is the use case behind this ask, what do you need the installed parcels info for, and why do you want to use a read-only user for this query? Please explain.
03-11-2019 07:36 AM
03-12-2019 05:18 AM
Thanks for providing clarification @jeroenr. The reason behind this change was that that CM API need to match the behavior of the CM UI. A read-only user in CM UI is not allowed to access CM related configuration as well as parcel related settings, even in the old CM version that was in use before. Now with this change CM UI and CM API behavior are identical, and correct.
We are sorry this requires you to make adjustments to your tools/scripts, but the changes required on your side are rather small: Either continue to use the same username and increase it's user role level in CM, or switch to using a admin user instead for determining the parcel status.