Cloudera Docs

Overview

Users must be assigned roles on Cloudera Data Engineering Services and Virtual Clusters to provide them with specific access to the Service or the Virtual Cluster.

User Access Management allows you to assign the roles to manage and access the Cloudera Data Engineering Service and Virtual Clusters by defining the access levels for a particular user or groups. With User Access Management, you can define whether a user or a group of users can administer or view a Service or a Virtual Cluster. For more information about User Management, onboarding new users, or assigning roles, see User Management.

Limitations

  • When a user or a group is added to or removed from Cloudera Data Services on premises, you must clear the browser cache or open the same URL in a new tab to refresh the users or groups list before assigning a role.
  • In the Cloudera Data Engineering UI, to assign a role on a Virtual Cluster in the Service, the user must at least be assigned a Service User role at that Service. Cloudera Data Engineering CLI or API allows you to directly assign a role in a Virtual Cluster even though you do not have any role assigned in the Service. But, you cannot access the Virtual Cluster because you do not have access to the Service itself. This will not result in an effective role management as users first need to be assigned a role on the Service before assigning a role on a Virtual Cluster.
  • The roles assigned as part of the User Access Management are not applicable for Airflow deployments. Any user who can submit an Airflow DAG can access all the DAGs available in the Cloudera Data Engineering environment irrespective of the role they are assigned. To disable creating the Airflow jobs in the Virtual Cluster, update the configmap after creating the Virtual Cluster by executing the following command:
    DEX_APP_NAMESPACE=<***DEX_APP_NAMESPACE***> && \
MODIFIED_VALUE=$( \
    set -o pipefail; \
    kubectl get configmap ${DEX_APP_NAMESPACE}-api-cm -n ${DEX_APP_NAMESPACE} \
        -o go-template='{{index .data "dex.yaml"}}' | \
    yq eval '.airflowJobsEnabled = false' - | \
    jq -R -s '.' \
) && \
[ "${MODIFIED_VALUE}" != "\"\"" ] && \
kubectl patch configmap ${DEX_APP_NAMESPACE}-api-cm -n ${DEX_APP_NAMESPACE} \
    --type='json' \
    -p="[{\"op\": \"replace\", \"path\": \"/data/dex.yaml\", \"value\": ${MODIFIED_VALUE}}]" && \
kubectl rollout restart deployment ${DEX_APP_NAMESPACE}-api -n ${DEX_APP_NAMESPACE}
    To identify <***DEX_APP_NAMESPACE***>, do the following steps:
    1. In the Cloudera console, click the Data Engineering tile. The Cloudera Data Engineering Home page displays.
    2. Click Administration in the left navigation menu. The Administration page displays.
    3. In the Services column, select the Service containing the virtual cluster for which you want to identify the namespace.
    4. In the Virtual Clusters column on the right, click the Cluster Details icon for the virtual cluster for which you want to identify the namespace. In the Cluster Details, VC-ID is your <***DEX_APP_NAMESPACE***>.