Understanding roles and resource roles
To access resources and perform tasks in CDP, each user requires permissions. As a CDP administrator, you can assign a role to a user to give the user permission to perform the tasks.
A policy defines the permissions associated with a role. It consists of policy statements that grant permissions to resources. The policy attached to a role determines the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.
A role that is associated with specific resources is called a resource role. This type of role gives permission to perform tasks on a specific resource, such as a CDP environment.
CDP provides the following types of roles:
- CDP roles
- CDP resource roles
CDP has pre-defined roles for your use. You can assign a role or a combination of roles to give the user the appropriate permissions to complete tasks in CDP. You cannot modify the pre-defined CDP roles or the policies associated with the pre-defined roles.
The scope of pre-defined roles and resource roles can vary. For example, a role might grant view access only to CDP ML clusters but not CDP Data Warehouse clusters. You might need to assign multiple roles to ensure that a user can perform all required tasks in CDP.
A CDP role grants permissions to perform tasks in CDP that are not associated with a specific resource. You explicitly assign a role to a user account.
The pre-defined CDP roles available in CDP that you can assign to CDP users, machine users, and groups are as follows:
- PowerUser - Grants permission to perform all tasks on all resources.
- IamUser - Grants permission to create access keys for the user, view assigned roles, and view all users in the account.
- IamViewer - Grants permission to view assigned roles and view all users in the account.
CDP roles can be assigned from the Management Console > User Management > Roles tab.
CDP resource roles
A resource role grants permission to access and perform tasks using specific resources. You assign a resource role to a user account by selecting a combination of resource and resource role.
A resource role grants a user or group permission to access and perform tasks on a resource.
When you assign a resource role, you must specify the resource (specifically, the environment) on which to grant the resource role permissions. For example, you can assign a user a resource role that grants permission on an environment. The user assigned the resource role can access and perform tasks on only the cloud provider resources described in the environment.
The resource role determines the tasks that the user can perform using the resources associated with the role. For example, the EnvironmentUser resource role assigned to a user allows a user to access and use the resources described in the environment associated with the resource role.
You cannot modify the pre-defined resource roles or the policies associated with the pre-defined resource roles.
The pre-defined resource roles available in CDP that you can assign to CDP users, machine users, and groups are as follows:
- EnvironmentAdmin - Grants a CDP user/group all the rights to an environment and Data Hub clusters. The EnvironmentAdmin resource role is assigned the Limited Cluster Administrator role in Cloudera Manager. Environment Admins can manage the cluster lifecycle, change configurations, and manage parcels. For more information on CM roles, see the topic Default User Roles.
- EnvironmentUser - Grants a CDP user/group the ability to view Data Hub clusters and set the FreeIPA password for the environment. The EnvironmentUser resource role is assigned the Read-Only role in Cloudera Manager. For more information on CM roles, see the topic Default User Roles.
- MLAdmin - Grants a CDP user/group the ability to create and delete Cloudera Machine Learning workspaces within a given CDP environment. MLAdmins will also have Site Administrator level access to all the workspaces provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workspaces.
- MLUser - Grants a CDP user/group the ability to view Cloudera Machine Learning workspaces provisioned within a given CDP environment. MLUsers will also be able to run workloads on all the workspaces provisioned within this environment.
- DWAdmin - Grants a CDP user/group the ability to activate/terminate or launch/stop/update services in Database Catalogs and Virtual Warehouses.
- DWUser - Grants a CDP user/group the ability to view and use Cloudera Data Warehouse clusters within a given CDP environment.
- DataCatalogCspRuleManager - Grants a CDP user/group permission to perform all tasks on CSP rules in Data Catalog.
- DataCatalogCspRuleViewer - Grants a CDP user/group permission to list and view CSP rules in Data Catalog.
CDP resource roles can be assigned from the Management Console > Environments > navigate to a specific environment > Actions > Manage Access > Access.