Cloudera Manager User Roles

Access to Cloudera Manager features is controlled by user accounts. For more information about user accounts, see Cloudera Manager User Accounts. Among the properties of a user account is the user role, which determines the Cloudera Manager features visible to the user and the actions the user can perform. All the tasks in the Cloudera Manager documentation indicate which role is required to perform the task.

User Roles

A Cloudera Manager user account can be assigned one of the following roles with associated permissions:
  • Auditor
    • View configuration and monitoring information in Cloudera Manager.
    • View audit events.
  • Read-Only
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • View events and logs.
    • View replication jobs and snapshot policies.
    • View YARN applications and Impala queries.
    The Read-Only role does not allow the user to:
    • Add services or take any actions that affect the state of the cluster.
    • Use the HDFS file browser.
    • Use the HBase table browser.
    • Use the Solr Collection Statistics browser.
  • Dashboard
    • Create, edit, or remove dashboards that belong to the user.
    • Add an existing chart or create a new chart to add to a dashboard that belongs to the user.
    • Perform the same tasks as the Read-Only role.
  • Limited Operator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Decommission hosts (except hosts running Cloudera Management Service roles).
    • Perform the same tasks as the Read-Only role.

    The Limited Operator role does not allow the user to add services or take any other actions that affect the state of the cluster.

  • Operator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Stop, start, and restart clusters, services (except the Cloudera Management Service), and roles.
    • Decommission and recommission hosts (except hosts running Cloudera Management Service roles).
    • Decommission and recommission roles (except Cloudera Management Service roles).
    • Start, stop, and restart KMS.
    • Perform the same tasks as the Read-Only role.

    The Operator role does not allow the user to add services, roles, or hosts, or take any other actions that affect the state of the cluster.

  • Configurator
    • View configuration and monitoring information in Cloudera Manager.
    • Perform all Operator operations.
    • Configure services (except the Cloudera Management Service).
    • Enter and exit maintenance mode.
    • Manage dashboards (including Cloudera Management Service dashboards).
    • Start, stop, and restart KMS
    • Perform the same tasks as the Read-Only role.
  • Cluster Administrator - View all data and perform all actions except the following:
    • Administer Cloudera Navigator.
    • View replication schedules and snapshot policies.
    • View audit events.
    • Manage user accounts and configuration of external authentication.
    • Manage Full Administrator accounts.
    • Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • BDR Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Perform replication and define snapshot operations.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • Navigator Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Administer Cloudera Navigator.
    • View audit events.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • User Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Manage user accounts and configuration of external authentication.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • Key Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
    • Start, stop, and restart KMS
    • Configure KMS ACLs
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • Full Administrator - Full Administrators have permissions to view all data and do all actions, including reconfiguring and restarting services, and administering other users.

The user roles and associated permissions are summarized as follows:

Cloudera Manager User Roles

Permission





User role

View configuration and monitoring information

Decommission
hosts

Recommission
hosts

Decommission
and
recommission
roles

Start, stop,
and restart
clusters, services,
and roles

Enter and
exit maintenance
mode

Edit
configurations

Create, modify,
and delete
dashboards
and charts

Administer
Cloudera
Navigator

Perform
replication and
snapshot operations

View
audit
events

Manage user
accounts and configuration
of external authentication

Configure HDFS
Encryption, administer
Key Trustee Server,
and manage
encryption keys

Perform all
administrative
functions not
enumerated here
Full Administrator
Key Administrator

User
Administrator

Navigator
Administrator

BDR
Administrator

Cluster
Administrator
Configurator
Operator

Limited
Operator
Read-Only
Auditor

Determining the Role of the Currently Logged in User

  1. Click the logged-in username at the far right of the top navigation bar. The role displays under the username. For example:

Removing the Full Administrator User Role

Minimum Required Role: User Administrator (also provided by Full Administrator)

In some organizations, security policies may prohibit the use of the Full Administrator role. The Full Administrator role is created during Cloudera Manager installation, but you can remove it as long as you have at least one remaining user account with User Administrator privileges.

To remove the Full Administrator user role, perform the following steps.

  1. Add at least one user account with User Administrator privileges, or ensure that at least one such user account already exists.
  2. Ensure that there is only a single user account with Full Administrator privileges.
  3. While logged in as the single remaining Full Administrator user, select your own user account and either delete it or assign it a new user role.
A consequence of removing the Full Administrator role is that some tasks may require collaboration between two or more users with different user roles. For example:
  • If the machine that the Cloudera Navigator roles are running on needs to be replaced, the Cluster Administrator will want to move all the roles running on that machine to a different machine. The Cluster Administrator can move any non-Navigator roles by deleting and re-adding them, but would need a Navigator Administrator to perform the stop, delete, add, and start actions for the Cloudera Navigator roles.
  • In order to take HDFS snapshots, snapshots must be enabled on the cluster by a Cluster Administrator, but the snapshots themselves must be taken by a BDR Administrator.