Steps to configure Cloudera Manager to encrypt sensitive
information stored in the Cloudera Manager database by configuring a
Credential Storage Provider (CSP).
Minimum Required Role:
Full
Administrator. This feature is not available when using Cloudera
Manager to manage Data Hub clusters.
IMPORTANT – You must complete all of the
steps below, including uploading the certificates, before the final step
to restart the Cloudera Manager server. Failure to do so will mean that
you will not be able to restart the Cloudera Manager server.
- If you are using the Vault, install and configure the Vault on
a host with network connectivity to the Cloudera Manager server:
- Install and configure the Vault
from Hashicorp.
- Configure
TLS.
- Enable the Vault secrets engine at a path that will be
dedicated to Cloudera Manager’s use. Any Vault secrets engine is
supported. See https://www.vaultproject.io/docs/secrets
for more information. For example, the following enables a
kv type secrets engine at path cm-secrets/:
vault cm-secrets enable -path=secret kv
- A certificate authentication method must be configured
at the path
certs/cert1. This is how Cloudera
Manager will authenticate with Vault. The method must have a
policy that allows Create/Update/List/Read/Delete at the
applicable secrets path. See https://www.vaultproject.io/docs/auth/cert for
more information on certificate authentication and https://www.vaultproject.io/docs/concepts/policies
for more information on vault policies.Example setup:
vault auth enable cert 1
vault write auth/cert/certs/cert1 display_name=example policies=example-policy certificate=@your-ca-cert.pem
Example
policy:
path "cm-secrets/*"
{
capabilities = ["create", "read", "update", "list", "delete"]
}
- The Vault must be unsealed by the user whenever Cloudera
Manager is running. See https://www.vaultproject.io/docs/concepts/seal
for instructions on unsealing Vault.
- Configure the Secure Credential Store in Cloudera
Manager:
- Open the Cloudera Manager Admin Console.
- Go to
and select the Security
category.
- Select the Credential Storage Provider
Type. Choose one of the following:
- None – Sensitive information is not encrypted in the Cloudera
Manager database.
- Vault – You can install and configure an external Vault, located on
a different host, if desired. Cloudera recommends Vault from
Hashicorp.
- Embedded – The credentials are stored on disk, on the Cloudera
Manager server host that is protected by file permissions. This type
is less secure than using a Vault, but is easier to set up and
manage.
- If you selected Vault, configure the
following parameters:
- Credential Storage Provider Address –
enter the URL of the host where the Vault is installed.
- Secrets Store Path – the path, on the
host where the Vault is installed where credentials are written.
The directory specified here must not be used for anything
else.
- Credential Storage Provider Storage Path
– the location on the Cloudera Manager server host where
certificates for the Vault are stored. You can keep the default
location of
/opt/cloudera/csp-data or change it
if needed.
- Upload the following certificates, by copying them to the
Cloudera Manager server host to the directory specified with the
Credential Storage Provider Storage Path
parameter, using the exact file name shown below, or you can use the
Cloudera Manager API to upload the certificates using the
CspResource endpoint. (You can use the
Cloudera Manager API Explorer to do this. Go to
.
| Certificate |
File name on the Cloudera Manager Host |
| Certificate authority |
csp-ca.pem |
| Client certificate |
csp-client.pem |
| Client key |
csp-client.key |
- Restart the Cloudera Manager Server:
sudo service cloudera-scm-server restart
Sensitive information is now encrypted in
the Cloudera Manager database.
