Cloudera Navigator and External Authentication

To support its user role-based authorization scheme, Cloudera Navigator integrates with external authentication mechanisms. External authentication mechanisms include:
  • LDAP-compliant identity/authentication services, such as Active Directory and OpenLDAP
  • SAML-based SSO solutions, such as Shibboleth and SiteMinder

Cloudera Manager Server has its own internal authentication mechanism, a database repository of user accounts. However, the user accounts defined in the internal Cloudera Manager account repository cannot be assigned Cloudera Navigator user roles. The only user role that can be effectively applied to an account created in the Cloudera Manager internal repository is that of Navigator Administrator. In other words, assigning Cloudera Navigator user roles to user accounts requires using one of the external authentication mechanisms detailed in this section.

Cloudera Manager and Cloudera Navigator have their own distinct sets of user roles. Cloudera Manager and Cloudera Navigator can be configured to use external authentication mechanisms. The organization may have a central Active Directory or other LDAP-identity service used by Cloudera Manager and Cloudera Navigator for external authentication, but the relationship between each of these to the external system functions independently. That means a Cloudera Manager user that successfully authenticates to the external LDAP system cannot log in to Cloudera Manager using that same authentication token.

How it Works: Cloudera Navigator and External Authentication

At runtime, the Navigator Metadata Server role instance (the daemon) forwards login requests from Cloudera Navigator users to the external authentication mechanism which has a repository containing user accounts and groups that have been setup for Cloudera Navigator users. The groups have had specific Cloudera Navigator user role assigned to them, so once users authenticate to the external system, they can use the features of Cloudera Navigator console as specified for their group.

All this occurs transparently to Cloudera Navigator users, assuming Cloudera Navigator has been correctly configured as detailed in the appropriate section for the external mechanism—Active Directory, OpenLDAP, or SAML—as detailed in this section.