Manage cluster access

Note

We will retire Azure HDInsight on AKS on January 31, 2025. Before January 31, 2025, you will need to migrate your workloads to Microsoft Fabric or an equivalent Azure product to avoid abrupt termination of your workloads. The remaining clusters on your subscription will be stopped and removed from the host.

Only basic support will be available until the retirement date.

Important

This feature is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include more legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. For information about this specific preview, see Azure HDInsight on AKS preview information. For questions or feature suggestions, please submit a request on AskHDInsight with the details and follow us for more updates on Azure HDInsight Community.

This article provides an overview of the mechanisms available to manage access for HDInsight on AKS cluster pools and clusters. It also covers how to assign permission to users, groups, user-assigned managed identity, and service principals to enable access to cluster data plane.

When a user creates a cluster, then that user is authorized to perform the operations with data accessible to the cluster. However, to allow other users to execute queries and jobs on the cluster, access to cluster data plane is required.

Manage cluster pool or cluster access (Control plane)

The following HDInsight on AKS and Azure built-in roles are available for cluster management to manage the cluster pool or cluster resources.

Role Description
Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Contributor Grants full access to manage all resources but doesn't allow you to assign roles in Azure RBAC.
Reader View all resources but doesn't allow you to make any changes.
HDInsight on AKS Cluster Pool Admin Grants full access to manage a cluster pool including ability to delete the cluster pool.
HDInsight on AKS Cluster Admin Grants full access to manage a cluster including ability to delete the cluster.

You can use Access control (IAM) blade to manage the access for cluster pool’s and control plane.

Refer: Grant a user access to Azure resources using the Azure portal - Azure RBAC.

Manage cluster access (Data plane)

This access enables you to do the following actions:

  • View clusters and manage jobs.
  • All the monitoring and management operations.
  • To enable auto scale and update the node count.

The access is restricted for:

  • Cluster deletion.

To assign permission to users, groups, user-assigned managed identity, and service principals to enable access to cluster’s data plane, the following options are available:

Using Azure portal

How to grant access

The following steps describe how to provide access to other users, groups, user-assigned managed identity, and service principals.

  1. Navigate to the Cluster access blade of your cluster in the Azure portal and click Add.

    Screenshot showing how to provide access to a user for cluster access.

  2. Search for the user/group/user-assigned managed identity/service principal to grant access and click Add.

    Screenshot showing how to add member for cluster access.

How to remove access

  1. Select the members to be removed and click Remove.

    Screenshot showing how to remove cluster access for a member.

Using ARM template

Prerequisites

Follow the steps to update authorizationProfile object under clusterProfile section in your cluster ARM template.

  1. In the Azure portal search bar, search for user/group/user-assigned managed identity/service principal.

    Screenshot showing how to search object ID.

  2. Copy the Object ID or Principal ID.

    Screenshot showing how to view object ID.

  3. Modify the authorizationProfile section in your cluster ARM template.

    1. Add user/user-assigned managed identity/service principal Object ID or Principal ID under userIds property.

    2. Add groups Object ID under groupIds property.

      "authorizationProfile": {
      "userIds": [
                   "abcde-12345-fghij-67890",
                   "a1b1c1-12345-abcdefgh-12345"
               ],
      "groupIds": []
           },
      
  4. Deploy the updated ARM template to reflect the changes in your cluster. Learn how to deploy an ARM template.