Granting Users SSO Access to Provisioned ML Workspaces

This topic describes how to create CDP groups that will be automatically granted SSO access to an ML workspace.

Enable SSO so that certain user groups are automatically logged into the provisioned workspaces with the right privilege levels

Required Role: PowerUser

A CDP PowerUser must create 2 groups per-workspace: one for users that require Site Administrator-level access, and one for regular Data Scientists. The group names must match those provided by each individual ML workspace. ML workspaces are designed to automatically allow SSO access only to those groups that match the provided names.

The group names will use the following naming convention:
  • Site Administrator Group: MLAdmin_<truncated_cluster_name>

    Users will be logged in with Site Administrator access.

  • Data Scientist Group (a.k.a regular users): MLUser_<truncated_cluster_name>

    Users will be logged in as regular users that can run workloads (sessions/jobs/experiments/models).

Do not create your own group names. Group names are available from each workspace's Actions menu.

For complete instructions, see Granting Users SSO Access to Provisioned ML Workspaces.

  1. Log in to the CDP web interface at https://console.us-west-1.cdp.cloudera.com using your corporate credentials or any other credentials that you received from your CDP administrator.
  2. Click ML Workspaces.
  3. For the workspace that you want to configure, click Actions > View Authentication Groups.
  4. Save the names of the User and Admin groups displayed on the popup. You will require these names when you create the groups in the following steps.
  5. Click OK to exit.
  6. Click User Management > Groups > Create Group.
  7. Enter the name of the group to be created for Site Administrators.
    You must use the Admin Group name previously saved from the workspace.
  8. Add users to the Admin group you have created. For instructions, see Management Console: Adding a user to a group.
    The users you add to this group will have Site Administrator access to this workspace.
  9. Click Actions > Update Group.
  10. Repeat the last few steps to create a second group for regular users. Click User Management > Groups > Create Group.
  11. Enter the name of the group to be created for Data Scientists (aka non-Site Admin users).
    You must use the User Group name previously saved from the workspace.
  12. Add users to the User group you have created. For instructions, see Management Console: Adding a user to a group.
    The users you add to this group will have regular user access to this workspace and will be able to run workloads on this workspace. This group must include all the users added to the Admin group in the previous step. That is, anyone who requires Site Administrator access must be a member of both groups.
  13. Click Actions > Update Group.
  14. Select the Sync Membership checkbox and click Update.
CDP users belonging to the two groups will now be automatically logged in to that ML workspace, with their assigned privilege levels.