IssueTracker

Problem you have encountered:

Users from the Admin AD groups were made a part of Viewer AD groups so that they are unable to submit the jobs config edit and start and stop the cluster. But the users were able to access the Jupyter notebooks using the Web interface section. Once they are logged in to Jupiter notebooks these users are able to run commands and submit spark jobs and it needed to be stopped as the read only users should not be able to access the Jupyter lab.
 
What you expected to happen:

Currently, the component gateway has two types of services. One type allows read-only access, which includes YARN ResourceManager, Spark History Server, Tez, HDFS NameNode, etc. The other type allows users to interact
with the cluster and run jobs, like Jupyter and JupyterLab.

- The access to these two types of services is currently controlled by a single permission, which should not be the case. The customer suggest that Google should categorize access to them through two different permissions. The *dataproc.clusters.use* can be the default because it is already used across roles and can provide write access. Google should create a new permission - let's call it *dataproc.clusters.read* - that enables the component gateway for read-only services. Later, BFD will have to use this new permission in its custom viewer role definitions.

- The customer want to prevent a Dataproc read-only user from accessing or opening Jupyter and JupyterLab. Otherwise, any user who has only been granted viewer access by the owner/maintainer of the team space can access
the Jupyter notebooks to submit jobs or drop tables, etc.