Assign a classic cluster resource role to a user

You can assign a specific resource role to a user or a machine user on the scope of a specific classic cluster to allow them to manage a specific classic cluster.

Required roles:
  • Owner or a role that allows administering the environment AND
  • One of the following: IamViewer or IamUser (required for listing users).
In order to assign a role, a user must have all rights from the role that they are planning to assign to another user; That is, a user can only assign a role higher than his own.
  1. In the Cloudera Management Console navigate to the Classic Clusters dashboard.
  2. Click on the (context menu) next to the cluster that you want to update and select Manage Access.
  3. Find the user that you want to update and click on Update Roles.
  4. Select or deselect the roles and then click on Update Roles.

Use the following commands to assign a resource to a user or a machine user:

cdp iam assign-user-resource-role \
--user-name <value> \
--resource-role-crn <value> \
--resource-crn <value> 
cdp iam assign-machine-user-resource-role \
--machine-user-name <value> \
--resource-role-crn <value> \
--resource-crn <value>

To remove a resource role from a user or a machine user:

cdp iam unassign-user-resource-role \
--user-name <value> \
--resource-role-crn <value> \
--resource-crn <value>
cdp iam unassign-machine-user-resource-role \
--machine-user-name <value> \
--resource-role-crn <value> \
--resource-crn <value>
  • The resource-role-crn parameter requires the CRN of the resource role you want to assign to the user. You can use the cdp iam list-resource-roles command to list resource roles with role CRNs.
  • The resource-crn parameter requires the CRN of the resource on which you want to grant the resource role permissions. You can obtain it from the details of the resource.

To get a list of the resource roles assigned to a user or a machine user:

cdp iam list-user-assigned-resource-role \
--user-name <value>
cdp iam list-machine-user-assigned-resource-role \
--machine-user-name <value>