Cloudera Docs

Rotating Cloudera Data Hub secrets

To strengthen the security of your deployments, you can rotate sensitive secrets, such as database passwords or admin credentials for the Cloudera Data Hub cluster. These secrets are managed and created by either Cloudera or users.

Secret rotation can be performed using the Cloudera Management Console or CLI commands. By rotating secrets, you reduce the risk of unauthorized access and enhance the overall security of your environment. A single secret rotation typically takes no longer than five minutes, minimizing downtime and disruption.

The following table summarizes the list of secrets that can be rotated for Cloudera Data Hub:
Secret name Secret description Downtime
Cloudera Admin password

(CM_ADMIN_PASSWORD)

 Used by the Cloudera Control Plane to manage Cloudera Manager, issue commands and poll info. No
External Database Root Password

(EXTERNAL_DATABASE_ROOT_PASSWORD)

 Initializing and managing External Databases created by the Cloudera Control Plane. Creates initial users and databases through this credential. No
Cloudera Manager Database Password

(CM_DB_PASSWORD)

 Credentials Cloudera Manager uses to connect to External Database. Minimal as the Cloudera Manager service might not be available temporarily
Cloudbreak user root SSH public key

(USER_KEYPAIR)

 Public SSH key specified during the environment creation.

Before rotating the SSH public key, you need to change keys on the Environment summary page, then rotate the secret for FreeIPA.

 No
Cloudera Manager Services Database Password

(CM_SERVICE_DB_PASSWORD)

 Used by LOCAL services managed by Cloudera Manager to connect to the External Database.This could include multiple services, such as Hue, Atlas, Ranger and so on. Minimal
LDAP Bind Password

(LDAP_BIND_PASSWORD)

 Password used to connect and fetch user and group context from LDAP located on the FreeIPA nodes. No
SSSD password

(SSSD_IPA_PASSWORD)

 Used to manage the SSSD service, which provides unified management of authentication methods on the cluster such as ssh, keytab generation and so on. No
Databus access key

(DBUS_UMS_ACCESS_KEY)

 Machine user service credential, used for communicating with Cloudera Control Plane through the DBUS interface by services such as the metering agent, diagnostic bundle collection and telemetry publisher. Minimal due to TelemetryAgent restart.
Salt boot secrets

(SALT_BOOT_SECRETS)

 Used for bootstrapping new Virtual Machine to the cluster during cluster creation, upscale operation, OS upgrade and repair. No
Salt sign key pair

(SALT_SIGN_KEY_PAIR)

 Used to sign and verify files or data distributed to Salt minions. Ensures integrity and authenticity of data managed by the Salt system. No
Salt master key pair

(SALT_MASTER_KEY_PAIR)

 Used to establish secure communication between the Salt master and minions. The public key is shared with the minions to verify the identity of the master. No
Salt password

(SALT_PASSWORD)

 Salt user's password used to communicate with the Salt cluster. No
Nginx server side private key

(NGINX_CLUSTER_SSL_CERT_PRIVATE_KEY)

 Private key of server side NGINX SSL certificate used for communication with internal services like salt-bootstrap. Minimal, NGINX restart can cause small downtime, which is covered by retries
Compute monitoring credentials

(COMPUTE_MONITORING_CREDENTIALS)

 Credentials used for compute monitoring components (prometheus, request-signer, etc.). Minimal
Cloudera Manager Intermediate Certificate Authority

(CM_INTERMEDIATE_CA_CERT)

 Used by Cloudera Manager and Cloudera Manager agents to serve HTTPS apis on the cluster nodes. Root CA is located and signed by FreeIPA. Minimal due to Cloudera Manager server and agent restart during secret update. Scaling and repair is blocked.
Embedded DB SSL certificate

(EMBEDDED_DB_SSL_CERT)

 Private key of embedded postgres database SSL certificate. Minimal
The secrets vary based on the deployment, you can use the following CLI command to list all of the available secrets for rotation:
cdp datahub list-datahub-secret-types --datahub {crn}

You can use the following steps in Cloudera Management Console or CLI commands to rotate the Cloudera Data Hub secrets:

  1. Navigate to your environment in Cloudera Management Console.
  2. Click Data Hub on the environment details page.
  3. Select the Cloudera Data Hub cluster, where you want to rotate the secrets
  4. Click Security.
    Under Secret Management, the list of secrets that can be rotated will be displayed:
  5. Select the secrets that you want to rotate.
  6. Click Rotate Secrets.
Use the following command to rotate the specific secret types:
cdp datahub rotate-secrets --datahub {datahubCrn} --secret-types {SECRETENUM1,SECRETENUM2}