Cloudera Manager User Roles
Access to Cloudera Manager features is controlled by user accounts that specify an authentication mechanism and one or more user roles. User roles determine the tasks that an authenticated user can perform and the features visible to the user in the Cloudera Manager Admin Console. In addition to the default user roles, you can create user roles that apply only to specific clusters.
Documentation for Cloudera Manager administration and management tasks indicate user roles required to perform the task.
Continue reading:
- Displaying Your Roles
- Default User Roles
- User Roles with Privileges for a Cluster
- Adding a User Role for a Specific Cluster
- Mapping External Authentication to a Role
- Assigning Users to a Role
- Removing a User or External Mapping from a User Role
- Removing a Role
- Removing the Full Administrator User Role
Displaying Your Roles
To view your roles, perform the following step:
- In the Cloudera Manager Admin Console, select .
Default User Roles
By default, Cloudera Manager ships with user roles that have privileges for all clusters managed by Cloudera Manager. You can create roles that are a combination of a default user role and privileges on a specific cluster. For more information about this type of role, see User Roles with Privileges for a Cluster.
- Auditor
- View configuration and monitoring information in Cloudera Manager.
- View audit events.
- Read-Only
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- View events and logs.
- View replication jobs and snapshot policies.
- View YARN applications and Impala queries.
The Read-Only role does not allow the user to:- Add services or take any actions that affect the state of the cluster.
- Use the HDFS file browser.
- Use the HBase table browser.
- Use the Solr Collection Statistics browser.
- Dashboard
- Create, edit, or remove dashboards that belong to the user.
- Add an existing chart or create a new chart to add to a dashboard that belongs to the user.
- Perform the same actions as the Read-Only role.
- Limited Operator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Decommission hosts (except hosts running Cloudera Management Service roles).
- Perform the same actions as the Read-Only role.
The Limited Operator role does not allow the user to add services or take any other actions that affect the state of the cluster.
- Operator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Stop, start, and restart clusters, services (except the Cloudera Management Service), and roles.
- Decommission and recommission hosts (except hosts running Cloudera Management Service roles).
- Decommission and recommission roles (except Cloudera Management Service roles).
- Start, stop, and restart KMS.
- Perform the same actions as the Read-Only role.
The Operator role does not allow the user to add services, roles, or hosts, or take any other actions that affect the state of the cluster.
- Configurator
- View configuration and monitoring information in Cloudera Manager.
- Perform all Operator operations.
- Configure roles and services (except the Cloudera Management Service).
- Enter and exit maintenance mode.
- Manage dashboards (including Cloudera Management Service dashboards).
- Start, stop, and restart KMS
- Perform the same actions as the Read-Only role.
- Cluster Administrator
- Apply policies to redact sensitive data.
- Recommission hosts, and decommission and recommission roles.
- Enter and exit Maintenance Mode.
- Edit the configuration of services and roles.
- Access all functionality that Cloudera Manager offers.
- Start, stop, and restart most clusters, services, and roles.
- View data in Cloudera Manager.
- Start, stop, and restart KMS.
- Decommission hosts.
- BDR Administrator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Perform replication and define snapshot operations.
- Perform the same actions as the Read-Only role.
- User Administrator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Manage user accounts and configuration of external authentication.
- Create, update, or delete external account configuration.
- Perform the same actions as the Read-Only role.
- Key Administrator
- View configuration and monitoring information in Cloudera Manager.
- Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
- Start, stop, and restart KMS
- Configure KMS ACLs
- Perform the same actions as the Read-Only role.
- Full Administrator
- Apply policies to redact sensitive data.
- Administer Cloudera Navigator.
- Create, modify, and delete your own dashboards.
- Manage user accounts and configuration of external authentication.
- Enter and exit Maintenance Mode.
- Edit the configuration of services and roles.
- View data in Cloudera Manager.
- Start, stop, and restart KMS.
- Manage Full Administrator accounts.
- Decommission hosts.
- View audit events.
- Create, update, or delete external account configuration.
- Configure HDFS Encryption, administer Key Trustee Server, and manage encryption keys.
- Recommission hosts, and decommission and recommission roles.
- Access all functionality that Cloudera Manager offers.
- Create replication schedules and snapshot policies.
- Start, stop, and restart most clusters, services, and roles.
User Roles with Privileges for a Cluster
In addition to the default user roles, you can create user roles that apply only to specific clusters. Creating this new role is done by assigning a privilege for a specific cluster to a default role. When a user account has multiple roles, the privileges are the union of all the roles.
For example, the user account milton has the Limited Operator role and Read-Only role with a scope of Cluster 1. Additionally, milton has the Configurator role on Cluster 2.
On Cluster 1, milton can perform all the actions that a Limited Operator and Read-Only can.
On Cluster 2, milton can perform all the actions that a Configurator can.
The user account milton cannot perform these or any other actions on the other clusters that are managed by Cloudera Manager because the account does not have any other roles.
Another user account, edith, has the Configurator role with privileges for all clusters. This means that edith can perform the actions of the Configurator role on all clusters that Cloudera Manager manages since the scope is all clusters.
You can assign privileges for a specific cluster to the following user roles:
- Cluster Administrator
- Configurator
- Limited Operator
- Operator
- Read-Only
User roles that cannot be assigned privileges for a specific cluster apply to all clusters. For example, if edith has the Key Administrator user role, she can perform the actions of a Key Administrator on all clusters.
Adding a User Role for a Specific Cluster
To create a role that has privileges for a specific cluster, perform the following steps:
- In the Cloudera Manager Admin Console, navigate to .
- Click Add Role.
- Specify the following:
- Privilege: The user role and cluster you want to assign privileges for.
- Users: The users you want to assign to this new role. You can assign users now or at a later time.
- LDAP Group/External Program Exit Codes/SAML Attributes/SAML Script Exit Codes: The external mapping you want to assign this new role to. You can
assign external mappings now or at a later time with the process described in Mapping External Authentication to a Role.
This field is based on your authentication mode and does not appear for local users.
Valid values for the External Program Exit Code and SAML Script Exit Code are between 0 and 127. You defined what users you want to associate with theses values when you configure your external authentication. For more information,
If you are upgrading to Cloudera Manager 6 from Cloudera Manager 5, existing mappings are imported from Cloudera Manager 5. These imported mappings can be changed.
The following list describes the LDAP groups imported from Cloudera Manager 5:
- LDAP Full Administrator Groups
- LDAP User Administrator Groups
- LDAP Cluster Administrator Groups
- LDAP BDR Administrator Groups
- LDAP Configurator Groups
- LDAP Key Administrator Groups
- LDAP Navigator Administrator Groups
- LDAP Operator Groups
- LDAP Limited Operator Groups
- LDAP Auditor Groups
The following list describes the SAML and External Program codes imported from Cloudera Manager 5:
- 0 - Full Administrator
- 1 - Read-Only
- 2 - Limited Operator
- 3 - Operator
- 4 - Configurator
- 5 - Cluster Administrator
- 6 - BDR Administrator
- 7 - Navigator Administrator
- 8 - User Administrator
- 9 - Auditor
- 10 - Key Administrator
- 11 - Dashboard User
- Click Add.
Mapping External Authentication to a Role
For example, you are using a SAML Script and want to assign user accounts that correspond with exit code 15 to a Cluster Administrator role with privileges for a cluster named cluster1.
To accomplish this, perform the following steps in the Cloudera Manager Admin Console:
- Navigate to .
- Based on your authentication method, select LDAP Groups, SAML Attributes, SAML Scripts, or External Programs.
- Click Add <authentication method> Mapping.
- Fill in the value for your authentication method, such as SAML Script Exit Code, and select the role you want to map to that value from the dropdown menu.
For SAML Scripts and External Programs, valid values are between 0 and 127.
- Click Save.
- Repeat this process for all the roles you want to map.
If you are upgrading to Cloudera Manager 6 from Cloudera Manager 5, existing mappings are imported from Cloudera Manager 5. These imported mappings can be changed.
The following list describes the LDAP groups imported from Cloudera Manager 5:
- LDAP Full Administrator Groups
- LDAP User Administrator Groups
- LDAP Cluster Administrator Groups
- LDAP BDR Administrator Groups
- LDAP Configurator Groups
- LDAP Key Administrator Groups
- LDAP Navigator Administrator Groups
- LDAP Operator Groups
- LDAP Limited Operator Groups
- LDAP Auditor Groups
The following list describes the SAML and External Program codes imported from Cloudera Manager 5:
- 0 - Full Administrator
- 1 - Read-Only
- 2 - Limited Operator
- 3 - Operator
- 4 - Configurator
- 5 - Cluster Administrator
- 6 - BDR Administrator
- 7 - Navigator Administrator
- 8 - User Administrator
- 9 - Auditor
- 10 - Key Administrator
- 11 - Dashboard User
Assigning Users to a Role
In addition to mapping groups, such as LDAP groups, to a user role, you can also assign individual users to a user role. If you do not assign a role, the local user defaults to no access. This means that the user cannot perform any actions on the cluster.
To add a user account to a role, perform the following steps:
- In the Cloudera Manager Admin Console, navigate to .
- Click Assign for the role you want to modify.
- Specify the Users or <Authentication Method Value> groups you want to assign to the role.
- Save the changes.
Removing a User or External Mapping from a User Role
Perform the following steps to remove a user account or external mapping from a user role:
- In the Cloudera Manager Admin Console, navigate to .
- Click Assign for the role you want to modify.
- Click the X for each user or external mapping you want to remove from the user role and click Save.
Removing a Role
To remove a role with a specific privilege, you must first remove all the user accounts that have that role. Note that you cannot remove the default roles that Cloudera Manager ships with.
- In the Cloudera Manager Admin Console, navigate to .
- Click Assign for the role you want to modify.
- Click the X for each user or external mapping you want to remove from the user role and click Save.
- Click Remove.
Removing the Full Administrator User Role
Minimum Required Role: User Administrator (also provided by Full Administrator)
In some organizations, security policies may prohibit the use of the Full Administrator role. The Full Administrator role is created during Cloudera Manager installation, but you can remove it as long as you have at least one remaining user account with User Administrator privileges.
To remove the Full Administrator user role, perform the following steps.
- Add at least one user account with User Administrator privileges, or ensure that at least one such user account already exists.
- Ensure that there is only a single user account with Full Administrator privileges.
- While logged in as the single remaining Full Administrator user, select your own user account and either delete it or assign it a new user role.
- If the machine that the Cloudera Navigator roles are running on needs to be replaced, the Cluster Administrator will want to move all the roles running on that machine to a different machine. The Cluster Administrator can move any non-Navigator roles by deleting and re-adding them, but would need a Navigator Administrator to perform the stop, delete, add, and start actions for the Cloudera Navigator roles.
- In order to take HDFS snapshots, snapshots must be enabled on the cluster by a Cluster Administrator, but the snapshots themselves must be taken by a BDR Administrator.