Registering a RAZ-enabled Azure environment
You can use the CDP web interface or CDP CLI to register a RAZ-enabled Azure environment.
You can enable RAZ on the latest available version of Cloudera Runtime. The minimum Cloudera Runtime version supporting RAZ for Azure environments is 7.2.11.
When you register an Azure environment, enable the Fine-grained access control on ADLS Gen2 option, and then provide the managed identity that you created earlier.
After you implement RAZ by registering the RAZ-enabled Azure environment, the
following RAZ authorization steps are completed by the RAZ server automatically:
- Coordinates with IDBroker to generate and cache the user delegation token.
- Updates the cached user delegation token periodically.
- Authorizes the collated information from the RAZ client. When an action is performed on a given cloud storage or path, the RAZ client collates the information and sends it to the RAZ server for further processing.
The RAZ server generates the responses based on the requests.
The following table lists the request and the response generated by the RAZ server for the request:
Request | Response |
---|---|
Allowed | RAZ server responds with a DSAS token. HDFS driver uses this token information to access cloud storage or path. For more information about the request, login to Ranger Admin UI and check the access audit reports. |
Denied | RAZ server returns Access denied response. |
Not Determined | RAZ server responds with a DSAS token only if the RAZ service is configured to fallback. Otherwise, the RAZ server returns an Access denied response. |
Server failed | If RAZ failed to process a request, the RAZ server failed to process the request error appears. |