Cloudera Manager User Roles
Access to Cloudera Manager features is controlled by user accounts. For more information about user accounts, see Cloudera Manager User Accounts. Among the properties of a user account is the user role, which determines the Cloudera Manager features visible to the user and the actions the user can perform. All the tasks in the Cloudera Manager documentation indicate which role is required to perform the task.
User Roles
- Auditor
- View configuration and monitoring information in Cloudera Manager.
- View audit events.
- Read-Only
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- View events and logs.
- View replication jobs and snapshot policies.
- View YARN applications and Impala queries.
The Read-Only role does not allow the user to:- Add services or take any actions that affect the state of the cluster.
- Use the HDFS file browser.
- Use the HBase table browser.
- Use the Solr Collection Statistics browser.
- Dashboard
- Create, edit, or remove dashboards that belong to the user.
- Add an existing chart or create a new chart to add to a dashboard that belongs to the user.
- Perform the same tasks as the Read-Only role.
- Limited Operator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Decommission hosts (except hosts running Cloudera Management Service roles).
- Perform the same tasks as the Read-Only role.
The Limited Operator role does not allow the user to add services or take any other actions that affect the state of the cluster.
- Operator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Stop, start, and restart clusters, services (except the Cloudera Management Service), and roles.
- Decommission and recommission hosts (except hosts running Cloudera Management Service roles).
- Decommission and recommission roles (except Cloudera Management Service roles).
- Start, stop, and restart KMS.
- Perform the same tasks as the Read-Only role.
The Operator role does not allow the user to add services, roles, or hosts, or take any other actions that affect the state of the cluster.
- Configurator
- View configuration and monitoring information in Cloudera Manager.
- Perform all Operator operations.
- Configure services (except the Cloudera Management Service).
- Enter and exit maintenance mode.
- Manage dashboards (including Cloudera Management Service dashboards).
- Start, stop, and restart KMS
- Perform the same tasks as the Read-Only role.
- Cluster Administrator - View all data and perform all actions except the following:
- Administer Cloudera Navigator.
- View replication schedules and snapshot policies.
- View audit events.
- Manage user accounts and configuration of external authentication.
- Manage Full Administrator accounts.
- Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- Perform the same tasks as the Read-Only role.
- BDR Administrator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Perform replication and define snapshot operations.
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- Perform the same tasks as the Read-Only role.
- User Administrator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Manage user accounts and configuration of external authentication.
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- Perform the same tasks as the Read-Only role.
- Key Administrator
- View configuration and monitoring information in Cloudera Manager.
- Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
- Start, stop, and restart KMS
- Configure KMS ACLs
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- Perform the same tasks as the Read-Only role.
- Full Administrator - Full Administrators have permissions to view all data and do all actions, including reconfiguring and restarting services, and administering other users.
The user roles and associated permissions are summarized as follows:
Permission User role |
View configuration and monitoring information |
Decommission |
Recommission |
Decommission |
Start, stop, |
Enter and |
Edit |
Create, modify, |
Administer |
Perform |
View |
Manage user |
Configure HDFS |
Perform all |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Full Administrator | ||||||||||||||
Key Administrator | ||||||||||||||
User |
||||||||||||||
Navigator |
||||||||||||||
BDR |
||||||||||||||
Cluster |
||||||||||||||
Configurator | ||||||||||||||
Operator | ||||||||||||||
Limited |
||||||||||||||
Read-Only | ||||||||||||||
Auditor |
Determining the Role of the Currently Logged in User
- Click the logged-in username at the far right of the top navigation bar. The role displays under the username. For example:
Removing the Full Administrator User Role
Minimum Required Role: User Administrator (also provided by Full Administrator)
In some organizations, security policies may prohibit the use of the Full Administrator role. The Full Administrator role is created during Cloudera Manager installation, but you can remove it as long as you have at least one remaining user account with User Administrator privileges.
To remove the Full Administrator user role, perform the following steps.
- Add at least one user account with User Administrator privileges, or ensure that at least one such user account already exists.
- Ensure that there is only a single user account with Full Administrator privileges.
- While logged in as the single remaining Full Administrator user, select your own user account and either delete it or assign it a new user role.
- If the machine that the Cloudera Navigator roles are running on needs to be replaced, the Cluster Administrator will want to move all the roles running on that machine to a different machine. The Cluster Administrator can move any non-Navigator roles by deleting and re-adding them, but would need a Navigator Administrator to perform the stop, delete, add, and start actions for the Cloudera Navigator roles.
- In order to take HDFS snapshots, snapshots must be enabled on the cluster by a Cluster Administrator, but the snapshots themselves must be taken by a BDR Administrator.