Configuring ADLS Access Using Cloudera Manager
Minimum Required Role: User Administrator (also provided by Full Administrator)
- Run Hive and Impala queries on tables backed by data stored in ADLS.
- Browse ADLS stores using Hue.
When you configure credentials using Cloudera Manager, it provides a more secure way to access ADLS using credentials that are not stored in plain-text files. The client configuration files generated by Cloudera Manager based on configured services do not include ADLS credentials. Command-line and API clients must manage access to these credentials outside of Cloudera Manager. Cloudera Manager provides credentials directly to trusted clients such as the Impala daemon and Hue. For access from YARN, MapReduce or Spark, see Configuring ADLS Gen1 Connectivity.
Configuring ADLS Credentials in Cloudera Manager
If you have already created your ADLS account and configured ADLS credentials in Cloudera Manager, skip this section and continue with Adding the ADLS Connector Service.
- Create your ADLS account. See the Microsoft documentation.
- Create the Active Directory service principal in the Azure portal. See the Microsoft documentation on creating
a service principal. You will need the following to configure ADLS credentials in Cloudera Manager:
- Client ID
- Client secret
- Tenant ID
- Grant the service principal permission to access the ADLS account. See the Microsoft documentation on Authorization and access control. Review the section,
"Using ACLs for operations on file systems" for information about granting the service principal permission to access the account. The service principal should have read, write, and execute
permissions.
You can skip the section on RBAC (role-based access control) because RBAC is used for management and you only need data access.
- Open Cloudera Manager and go to .
- Select the Azure Credentials tab.
- Click Add AD Service Principal.
- In the Name field, enter a unique name to identify the credentials in your cluster.
- Enter the Client ID, Client Secret Key, and Tenant ID that you obtained when creating the ADLS account and service principal.
- Click Save.
The Connect to Azure Data Lake Storage dialog box displays.
- Click Enable for Cluster_Name to add the ADLS Connector Service, as described in the next section.
Adding the ADLS Connector Service
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
Use this procedure to add the ADLS Connector Service using Cloudera Manager. If you have not already configured ADLS Credentials in Cloudera Manager, see Configuring ADLS Credentials in Cloudera Manager before continuing.
- In the Cloudera Manager Admin console, go to the cluster where you want to add the ADLS Connector Service.
- Click .
- Select ADLS Connector.
- Click Continue.
The Add ADLS Connector Service to Cluster Name wizard displays.
- Select the ADLS credential to use with this service from the Name drop-down list.
- Click Continue.
The wizard checks your configuration for compatibility with ADLS and reports any issues. The wizard does not allow you to continue if you have an invalid configuration. Fix any issues, and then repeat these steps to add the ADLS Connector Service.
- Select a Credentials Protection Policy. Choose one of the following:
- Less Secure
Credentials can be stored in plain text in some configuration files for specific services (currently Impala, Hive, and Hue) in the cluster.
This configuration is appropriate for single-user clusters or clusters where strict fine-grained access control is not required.
- More Secure
The More Secure option requires that you enable Kerberos and the Apache Sentry Service in the cluster.
Cloudera Manager distributes secrets to a limited set of services (currently Impala and Hue) and enables those services to access ADLS securely, using encrypted credentials. It does not distribute these credentials to any other clients or services.
Other ADLS configurations settings that are not sensitive are included in the configuration of all services and clients as needed.
This configuration is appropriate for secure, multi-tenant clusters that provide fine-grained access control to data stored in ADLS. You can use the Apache Sentry Service to limit access to specific users and applications.
- Less Secure
- Click Continue.
- If you have enabled the Hue service, the Additional Configuration for Hue screen displays. Enter the domain name of the Hue Browser Data Lake Store in the form: store_name.azuredatalakestore.net
- Click Continue.
The Restart Dependent Services page displays and indicates the dependent services that need to be restarted.
- Select Restart Now to restart these services. You can also restart these services later.
- Click Continue to complete the addition of the ADLS Connector Service. If Restart Now is selected, the dependent services are restarted. The progress of the restart commands displays.
- When the commands finish executing, click Continue.
- Click Finish.
Managing ADLS Credentials in Cloudera Manager
- Open Cloudera Manager and go to .
- Select the Azure Credentials tab.
- To remove a credential, in the row for the credential you want to change, click
You cannot remove a credential that is currently being used by the ADLS Connector Service; you must first remove the Connector Service from the cluster.
.
- To edit a credential, in the row for the credential you want to edit, click .
- Edit the fields of the credential as needed and click Save.
Removing the ADLS Connector Service
- Open Cloudera Manager and go to .
- Select the Azure Credentials tab.
- In the row for the credential used for the service, click
The Connect to Azure Data Lake Storage dialog box displays.
.
- Click Disable for Cluster_name.
- Click OK.
A message displays saying "The configuration has been updated". You will need to restart any stale services. Click the View Stale Configurations link to open the Stale Configurations page. Click Restart Stale Services.
You can also delete the ADLS Connector Service from the Cloudera Manager home page for the cluster. See Deleting Services.