Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

get parcel info via API restricted after upgrade

get parcel info via API restricted after upgrade

Explorer

With Cloudera Manager 5.9.1 and api version v14 it was possible with readonly access to get the parcel information via the API e.g.

curl -su user:password -X GET servername/api/v14/clusters/cluster/parcels

 

After upgrading CDM to 5.14.2 and CDH to 5.13.3 the access to parcel info is restricted, running the same curl command with the readonly user now returns this error

"message" : "User not allowed to perform operation."

 

This parcel information is very important to keep multiple clusters aligned

After the upgrade role "Cluster administrator" or "Full administrator" is required to get the parcel info via the api

 

This is very inconvenient, is it possible to grant permissions on the api for specific endpoints to readonly users?

3 REPLIES 3

Re: get parcel info via API restricted after upgrade

Expert Contributor

This change was made intentionally as read-only users are not supposed to view this information, but could do in the older version. It is not possible to grant dedicated permissions to specific read-only users, we suggest to create a dedicated user to be used by your script/tool so that you can at least track individual access in the audit logs.

 

What is the use case behind this ask, what do you need the installed parcels info for, and why do you want to use a read-only user for this query? Please explain.

Re: get parcel info via API restricted after upgrade

Explorer
with a readonly user I meant a user with the read-only access role The read-only role is not sufficient anymore to get the parcel info For big companies there might be multiple Cloudera clusters deployed, not necessarily having the same administrators If these clusters should be aligned on the same versions for all components, the most easy check is the parcel info Most of the configuration info is available for the read-only role, except sensitive data like passwords Why would the parcel info need to be restricted? Keeping cluster configurations aligned is easy to check via the api, but if the parcel info is missing it leaves a big gap for just checking the config you really don't want to grant someone cluster admin of full administrator role More generic question, I couldn't find the permission change in the CDM release notes Was this the only permission change for the api?

Re: get parcel info via API restricted after upgrade

Expert Contributor

Thanks for providing clarification @jeroenr. The reason behind this change was that that CM API need to match the behavior of the CM UI. A read-only user in CM UI is not allowed to access CM related configuration as well as parcel related settings, even in the old CM version that was in use before. Now with this change CM UI and CM API behavior are identical, and correct. 

 

We are sorry this requires you to make adjustments to your tools/scripts, but the changes required on your side are rather small: Either continue to use the same username and increase it's user role level in CM, or switch to using a admin user instead for determining the parcel status.