set-id-broker-mappings

subtitle

Sets all ID Broker mappings for an environment.

version

0.9.66

Description

Sets all ID Broker mappings for an environment. Overwrites all existing mappings.

Synopsis

  set-id-broker-mappings
--environment-name <value>
--data-access-role <value>
[--ranger-audit-role <value>]
[--ranger-cloud-access-authorizer-role <value>]
[--mappings <value>]
[--set-empty-mappings | --no-set-empty-mappings]
[--cli-input-json <value>]
[--generate-cli-skeleton]

Options

--environment-name (string)

The name or CRN of the environment.

--data-access-role (string)

The cloud provider role to which data access services will be mapped (e.g. an ARN in AWS, a Resource ID in Azure).

--ranger-audit-role (string)

The cloud provider role to which services that write to Ranger audit logs will be mapped (e.g. an ARN in AWS, a Resource ID in Azure). Note that some data access services also write to Ranger audit logs; such services will be mapped to the dataAccessRole, not the rangerAuditRole. THIS PARAMETER IS REQUIRED.

--ranger-cloud-access-authorizer-role (string)

The cloud provider role to which the Ranger RAZ service will be mapped (e.g. an ARN in AWS, a Resource ID in Azure). This is required in RAZ-enabled environments.

--mappings (array)

ID Broker mappings for individual actors and groups. Does not include mappings for data access services. If omitted or set to an empty list, you must also specify the --set-empty-mappings option, to confirm that you want to remove any existing individual mappings.

Shorthand Syntax:

accessorCrn=string,role=string ... (separate items with spaces)

JSON Syntax:

[
  {
    "accessorCrn": "string",
    "role": "string"
  }
  ...
]

--set-empty-mappings | --no-set-empty-mappings (boolean)

Whether to install an empty set of individual mappings, deleting any existing mappings. The --set-empty-mappings option is required if --mappings is omitted or if its value is an empty list, and disallowed otherwise.

--cli-input-json (string)

Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (boolean)

Prints a sample input JSON to standard output. Note the specified operation is not run if this argument is specified. The sample input can be used as an argument for --cli-input-json.

Output

mappingsVersion -> (integer)

The version of the mappings.

dataAccessRole -> (string)

The cloud provider role to which data access services will be mapped (e.g. an ARN in AWS, a Resource ID in Azure).

rangerAuditRole -> (string)

The cloud provider role to which services that write to Ranger audit logs will be mapped (e.g. an ARN in AWS, a Resource ID in Azure). Note that some data access services also write to Ranger audit logs; such services will be mapped to the dataAccessRole, not the rangerAuditRole.

rangerCloudAccessAuthorizerRole -> (string)

The cloud provider role to which the Ranger RAZ service will be mapped (e.g. an ARN in AWS, a Resource ID in Azure).

baselineRole -> (string)

Deprecated. Please use ranger-audit-role instead.

mappings -> (array)

ID Broker mappings for individual actors and groups. Does not include mappings for data access services. May be empty if no individual mappings are needed.

item -> (object)

A mapping of an actor or group to a cloud provider role.

accessorCrn -> (string)

The CRN of the actor or group.

role -> (string)

The cloud provider role (e.g., ARN in AWS, Resource ID in Azure) to which the actor or group is mapped.

Form Factors

public, private