Cloudera Manager User Roles
Minimum Required Role: User Administrator (also provided by Full Administrator)
Access to Cloudera Manager features is controlled by user accounts. For more information about user accounts, see Cloudera Manager User Accounts. Among the properties of a user account is the user role, which determines the Cloudera Manager features visible to the user and the actions the user can perform. All the tasks in the Cloudera Manager documentation indicate which role is required to perform the task.
User Roles
- Auditor
- View data in Cloudera Manager.
- View audit events.
- Read-Only - Allows the user to:
- View data in Cloudera Manager.
- View service and monitoring information.
The Read-Only role does not allow the user to add services or take any actions that affect the state of the cluster.
- Limited Operator
- View data in Cloudera Manager.
- View service and monitoring information.
- Decommission hosts (except hosts running Cloudera Management Service roles).
The Limited Operator role does not allow the user to add services or take any other actions that affect the state of the cluster.
- Operator
- View data in Cloudera Manager.
- View service and monitoring information.
- Stop, start, and restart clusters, services (except the Cloudera Management Service), and roles.
- Decommission and recommission hosts (except hosts running Cloudera Management Service roles).
- Decommission and recommission roles (except Cloudera Management Service roles).
- Start, stop, and restart KMS.
The Operator role does not allow the user to add services, roles, or hosts, or take any other actions that affect the state of the cluster.
- Configurator
- View data in Cloudera Manager.
- Perform all Operator operations.
- Configure services (except the Cloudera Management Service).
- Enter and exit maintenance mode.
- Manage dashboards (including Cloudera Management Service dashboards).
- Cluster Administrator - View all data and perform all actions except the following:
- Administer Cloudera Navigator.
- View replication schedules and snapshot policies.
- View audit events.
- Manage user accounts and configuration of external authentication.
- BDR Administrator
- View data in Cloudera Manager.
- View service and monitoring information.
- Perform replication and define snapshot operations.
- User Administrator - Allows the user to:
- View data in Cloudera Manager.
- View service and monitoring information.
- Manage user accounts and configuration of external authentication.
- Key Administrator
- View data in Cloudera Manager.
- Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
- Start, stop, and restart KMS
- Full Administrator - Full Administrators have permissions to view all data and do all actions, including reconfiguring and restarting services, and administering other users.
The user roles and associated permissions are summarized as follows:
User role |
View data in |
Decommission |
Recommission |
Decommission |
Start, stop, |
Enter and |
Edit the |
Create, modify, |
Administer |
Perform |
View |
Manage user |
Perform all |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Full Administrator | |||||||||||||
User |
|||||||||||||
Navigator |
|||||||||||||
BDR |
|||||||||||||
Cluster |
|||||||||||||
Configurator | |||||||||||||
Operator | |||||||||||||
Limited |
|||||||||||||
Read-Only | |||||||||||||
Auditor |
Determining the Role of the Currently Logged in User
- Click the logged-in username at the far right of the top navigation bar. The role displays right under the username. For example:
Removing the Full Administrator User Role
In some organizations, security policies may prohibit the use of the Full Administrator role. The Full Administrator role is created during Cloudera Manager installation, but you can remove it as long as you have at least one remaining user account with User Administrator privileges.
To remove the Full Administrator user role, perform the following steps.
- Add at least one user account with User Administrator privileges, or ensure that at least one such user account already exists.
- Ensure that there is only a single user account with Full Administrator privileges.
- While logged in as the single remaining Full Administrator user, select your own user account and either delete it or assign it a new user role.
- If the machine that the Cloudera Navigator roles are running on needs to be replaced, the Cluster Administrator will want to move all the roles running on that machine to a different machine. The Cluster Administrator can move any non-Navigator roles by deleting and re-adding them, but would need a Navigator Administrator to perform the stop, delete, add, and start actions for the Cloudera Navigator roles.
- In order to take HDFS snapshots, snapshots must be enabled on the cluster by a Cluster Administrator, but the snapshots themselves must be taken by a BDR Administrator.