Cloudera Docs

Cloudera user management system

Cloudera Management Console includes a user management system that allows you to integrate your identity provider and manage user access to Cloudera resources.

During the initial setup of a Cloudera subscription, Cloudera designates a user account as a Cloudera account administrator. A Cloudera account administrator has all privileges and can perform any task in Cloudera. Administrators can create other Cloudera administrators by assigning the PowerUser role to users. Cloudera administrators can also register environments and create Data Lake clusters.

Cloudera administrators can create users and groups and then assign roles and resource roles to users or groups. The Cloudera Management Console also enables Cloudera administrators to federate access to Cloudera by configuring an external identity provider. Cloudera users can include users corresponding to an actual living person within the organization or machine users.

Cloudera supports the following login methods to access the Cloudera platform:
Cloudera Single Sign-On (CSSO)
Only used by Account Administrators for initially setting up the Cloudera account. The CSSO login is only meant to serve as the bootstrap IdP. After enterprise IdP SAML integration is set up, CSSO must be disabled. For instructions, refer to Onboarding users.
Identity Provider (IdP) initiated login
Log in to Cloudera using the application assigned in your enterprise IdP.
Service Provider (SP) initiated login
Discover your Cloudera account by your email address, and log in to your enterprise IdP using your account.

In addition to the SSO credentials mentioned above, Cloudera uses another set of credentials that must be used for accessing some Cloudera components (for example accessing Cloudera Data Hub clusters via SSH).

To access to the CDP CLI or SDK, each user must have an API access key and private key. Each user must generate this key pair using the Cloudera Management Console, and Cloudera creates a credentials file based on the API access key. When you use the CDP CLI or SDK, Cloudera uses the credentials file to get the cluster connection information and verify your authorization.