Configure Atlas file-based authentication
How to manage Atlas user authentication when using user credentials from a file.
Two of the most likely tasks you would perform related to file-based authentication for Atlas:
- Enable or disable file-based authorization when transitioning among authentication methods
- Add to the list of authorized users for use in a non-production environment
To enable or disable file-based authentication
- In Cloudera Manager, select the Atlas service, then open the Configuration tab.
- Display the authentication settings by typing "file" in the Search box.
- Check or uncheck the option Enable File Authentication.
- If you are enabling file-based authentication, review the location
of the file that contains user credentials as specified in
Path to Credentials for File-based
Login.The default directory location indicated by
ATLAS_USER_CREDENTIALS_CONF_PATH
is the Atlas configuration directory in the Cloudera Runtime installation location, typically/opt/cloudera/parcels/CDH-version/etc/atlas/conf.dist
If you need to change the location, specify an absolute path on the Atlas host. Alternatively you can reset the location for
users-credentials.properties
by setting theatlas.authentication.method.file.filename
property in the Atlas Server Advanced Configuration Snippet (Safety Valve) for conf/atlas-application.properties. You can find the hostname where the Atlas service is running on the Instances tab in Cloudera Manager. - Configure the list of users as described in step 6 in To add to the users list:.
- Click Save Changes.
- Restart the Atlas service.
To add to the users list:
This procedure requires that you restart the Atlas service.
- In Cloudera Manager, select the Atlas service, then open the Instances tab.
- Note the Hostname where the Atlas service is
running. You'll need to be able to
SSH
into that host to update the user list. - Open the Configuration tab.
- Type "file" in the search box to filter the property list.
- Find the user file.
Look for the location of the
users-credentials.properties
file as set in the Path to Credentials for File-based Login property.The default directory location indicated byATLAS_USER_CREDENTIALS_CONF_PATH
is the Atlas configuration directory in the Cloudera Runtime installation location, typically
If you need to reset the location of the/opt/cloudera/parcels/CDH-version/etc/atlas/conf.dist
users-credentials.properties
file, see Moving the Atlas user credentials file. - Update the user list.
SSH
into the Atlas host. Edit the users file to include additional users in the following format:
where the username is the string used in the login page, the group is one ofusername=group::password-hash
ADMIN
,DATA_STEWARD
, orDATA_SCIENTIST
. The password-hash is the password encoded using salting.To generate an encoded password, use the pythoncputil.py
script provided in the Atlas installation, typically:/opt/cloudera/parcels/CDH-version/lib/atlas/bin
Run the command as follows, making sure that variables used in the script are available:
$ export ATLAS_HOME=/opt/cloudera/parcels/CDH-version/lib/atlas $ export ATLAS_CONF=<Atlas installation location> $ /opt/cloudera/parcels/CDH-version/lib/atlas/bin/cputil.py -g -u <username> -p <new secure password> -s
The
-s
option ensures that the output includes only the hash value. The Atlas installation location is typically/opt/cloudera/parcels/CDH-version/etc/atlas/
. - Restart the Atlas service.
Moving the Atlas user credentials file
If you find you need to point Atlas to a different location for the
users-credentials.properties
file, you can reset the
location using a property in an Atlas advanced configuration
snippet.
- In Cloudera Manager, select the Atlas service, then open the Configuration tab.
- Display the advanced configuration settings by typing "safety" in the Search box.
- In the Atlas Server Advanced Configuration Snippet
(Safety Valve) for conf/atlas-application.properties
property, add the following property and set it to the absolute path
to the
users-credentials.properties
file on the Atlas host. This path must be accessible to the Atlas service user (defaults toatlas
).atlas.authentication.method.file.filename=/some/secure/location
- Restart the Atlas service.