Managing Users and Groups for the Cloudera Navigator Data Management Component

Minimum Required Role: User Administrator (also provided by Full Administrator)

These required roles refer to Cloudera Navigator user roles. Users with the Cloudera Manager user roles Navigator Administrator or Full Administrator who log into the Cloudera Navigator Web UI with their Cloudera Manager credentials are logged into Cloudera Navigator with the Full Administrator Cloudera Navigator user role.

Cloudera Navigator supports user authentication against Cloudera Manager user accounts and against an external LDAP or Active Directory service. External authentication enables you to assign Cloudera Navigator user roles to LDAP or Active Directory groups containing the appropriate users for each user role.

Assigning Cloudera Navigator User Roles to LDAP or Active Directory Groups

This section assumes that values for your LDAP or Active Directory directory service have been configured in Cloudera Manager as described in Configuring External Authentication for Cloudera Navigator. This section also assumes that your LDAP or Active Directory service contains user groups that correspond to Cloudera Navigator user roles having the permissions you want each group of users to have. If not, you should assign your users to such groups now. The Cloudera Navigator user roles are as follows:
  • Full Administrator
  • User Administrator
  • Auditing Viewer
  • Lineage Viewer
  • Metadata Administrator
  • Policy Viewer
  • Policy Administrator

Each of these roles and the permissions associated with them are described in Cloudera Navigator User Roles.

To add or remove Cloudera Navigator user roles to LDAP or Active Directory user groups, you should know the names of the directory groups you want to configure, and then perform the following steps:

  1. Do one of the following:
    • Enter the URL of the Navigator UI in a browser: http://Navigator_Metadata_Server_host:port/, where Navigator_Metadata_Server_host is the name of the host on which you are running the Navigator Metadata Server role and port is the port configured for the role. The default port of the Navigator Metadata Server is 7187. To change the port, follow the instructions in Configuring the Navigator Metadata Server Port.
    • Select Clusters > Cloudera Management Service > Cloudera Navigator.
    • Navigate from the Navigator Metadata Server role:
      1. Select Clusters > Cloudera Management Service.
      2. Click the Instances tab.
      3. Click the Navigator Metadata Server role.
      4. Click the Cloudera Navigator link.
  2. Log in to Cloudera Navigator with the credentials of a user having one or more of the following user roles:
    • Cloudera Manager Full Administrator
    • Cloudera Manager Navigator Administrator
    • Cloudera Navigator Full Administrator
    • Cloudera Navigator User Administrator
  3. Click the Administration tab in the upper right.
  4. Click the Role Management tab.
  5. Search for an LDAP or Active Directory group by entering its name (or the first portion of the name) in the search field and pressing Enter or Return.
    • Select All Groups to search among all groups in the external directory.
    • Select Groups with Navigator Roles to display only external directory groups that have already been assigned one or more Cloudera Navigator user roles.
  6. From the LDAP or Active Directory groups displayed, select the group to which you want to assign a Cloudera Navigator user role or roles. If roles have already been assigned to the group, they are listed beneath the name of the group in the main panel.
  7. Click Manage Role Assignment in the upper right.
  8. Click the checkbox for each Cloudera Navigator user role you want assigned to that Active Directory or LDAP group. Uncheck any already-assigned roles that you want to remove from the group.
  9. Click Save.

If a user's role assignments are changed, the changes take effect with the user's next new session, that is, the next time the user logs in to Cloudera Navigator.