A CDP account (sometimes called a CDP tenant) is the management console where users log in to access their services. A CDP account contains one or more CDP environments.
Physically, all management consoles run in a shared infrastructure (the Cloudera Control Plane). Each management console has a unique ID and is logically isolated from other CDP accounts. For example, if you have two CDP accounts, you cannot view the resources in account 2 if you are logged into account 1. Each CDP account, including sub-accounts, has a separate invoice.
A CDP account can have one or more identity providers. Each identity provider is connected to one SAML provider, which in turn is connected to an Active Directory. A CDP account can be connected to multiple Azure Active Directory organizations (via identity provider) and multiple subscriptions. Cloudera creates one CDP account per customer; you can create additional CDP accounts through a manual approvals process.
For example, the "Cloudera CDP Demos" account is connected to:
- 3 identity providers, each connected to an LDAP Server via SAML:
- Corporate OKTA, so that anybody with a cloudera.com email can log in (as long as they are entitled).
- An LDAP server used for workshops, so that we can provision temporary users without having to go through corporate account lifecycle management.
- An LDAP server hosting demo users, so that we can create new personas on demand for demo scenarios.
- Multiple Azure subscriptions; one per budget item (Sales, Product Management, Services, Tradeshow Demos etc.).
- This allows different groups to host their own demos and pay for them using their own cloud account.
A CDP environment exists inside a CDP account, and each CDP account can have many environments. An environment is a logical container for a Data Lake cluster and any workloads that are attached to that cluster, such as Data Hubs, Data Warehouses, Machine Learning environments, etc. All services running within an environment share the same metadata and use the same Data Lake.
Each environment can be associated with only one cloud account. This association is called a CDP credential and points to either:
- A service principal for a specific Azure subscription
- A cross-account role for a specific AWS account