Resource roles
A role that is associated with a specific resource is called a resource role. This type of role gives permission to perform tasks on a specific resource, such as a specific Cloudera environment, shared resource, or Cloudera Data Hub cluster.
A resource role determines a specific set of tasks that the user can perform on the resources. For example, the EnvironmentUser resource role assigned to a user allows the user the rights contained in the resource role only on that particular environment.
The predefined resource roles available in Cloudera that you can assign to Cloudera users, machine users, and groups are as follows:
- Environment resource roles
- Shared resource resource roles
- Cloudera Data Hub resource roles
- Classic cluster resource roles
- The Owner resource role (available on all resources)
crn:altus:iam:<CONTROL_PLANE_REGION>:altus:resourceRole:<RESOURCE_ROLE_NAME>For example, the following is the DataHubAdmin role CRN:
crn:altus:iam:us-west-1:altus:resourceRole:DataHubAdmincdp iam
list-resource-roles command. Environment resource roles
Environment resource roles can be assigned on the scope of a specific environment.
These resource roles can be assigned from the Cloudera Management Console > Environments > navigate to a specific environment > Actions > Manage Access > Access or from CDP CLI using thecdp iam assign-user-resource-role command. | Resource role | Description | Important considerations |
|---|---|---|
| EnvironmentAdmin | Grants all rights to the environment and Cloudera Data Hub clusters running in it, except the ability to delete the environment. | The user who created the environment automatically gets the EnvironmentAdmin
role on the scope of that environment. The EnvironmentAdmin resource role is assigned the Limited Cluster Administrator role in Cloudera Manager. Users with this role can manage the cluster lifecycle, change configurations, and manage parcels. For more information on Cloudera Manager roles, see the topic Default User Roles. The Cloudera Manager Limited Cluster Administrator role is assigned to the EnvironmentAdmin because the Cloudera Control Plane is responsible for certain tasks historically done in Cloudera Manager, for example: adding or removing hosts as part of up/down-scaling and repair operations, executing upgrades of clusters in coordination with upgrading the OS images used by clusters, and creating new clusters based on templates preconfigured to work in a Cloudera environment. In addition, only selected services and workload types are currently supported in Cloudera Data Hub, represented by the built-in cluster definitions. Finally, certain Cloudera services like encryption-at-rest infrastructure are explicitly not designed for use in the public cloud, where the cloud provider's object store encryption capabilities should be used. Because of this, Cloudera Data Hub is prescriptive in its choice of workload types and theCloudera Control Plane is best suited to manage most cluster life cycle operations. Doing so directly in Cloudera Manager could lead to unexpected operational issues. Cloudera Data Hub does, however, support fully customizable cluster templates. EnvironmentAdmin can manage access to the environment by assigning a user EnvironmentAdmin, DataSteward, or EnvironmentUser role. |
| EnvironmentPriviledgedUser | Grants permission to execute privileged operating system actions on Data Lake, FreeIPA, and Cloudera Data Hub virtual machines. | This is an add-on role that the Owner of the environment can assign to themselves or to other users in order to log in to Data Lake, FreeIPA, and Cloudera Data Hub VMs. Note that this role does not grant access to data service VMs, which remain accessible with the cloudbreak user key specified during environment registration. |
| EnvironmentUser | Grants permission to view Cloudera Data Hub clusters and set the
workload password for the environment. The EnvironmentUser resource role is assigned the Read-Only role in Cloudera Manager. For more information on Cloudera Manager roles, see the topic Default User Roles. |
This role should be used in conjunction with service-specific roles such as DataHubAdmin, DWAdmin, DWUser, MLAdmin, MLUser, and so on. When assigning one of these service-specific roles to users, make sure to also assign the EnvironmentUser role. |
| DataSteward | Grants permission to perform user/group management functions in Ranger and Atlas Admin, manage ID Broker mappings, and start user sync for the environment. | DataSteward can manage access to the environment by assigning a user DataSteward or EnvironmentUser role. |
| DataHubCreator | Grants permission to create Cloudera Data Hub clusters in the environment. | |
| DEAdmin | Grants permission to create, delete and administer Cloudera Data Engineering services for the environment. | When assigning this role, you should also assign the EnvironmentUser role. |
| DEUser | Grants permission to list and use Cloudera Data Engineering services for the environment. | When assigning this role, you should also assign the EnvironmentUser role. |
| DFAdmin | Grants permission to enable, disable and administer the Cloudera environment for Cloudera DataFlow. This includes granting and revoking the ability to access the Cloudera DataFlow Kubernetes API server. | When assigning this role, you should also assign the EnvironmentUser role. |
| DFFlowAdmin | Grants permission to create, terminate, administer and monitor running deployments for the environment. | When assigning this role, you should also assign the EnvironmentUser role. |
| DFFlowDeveloper | Grants permission to view, create, modify, or delete flow drafts; start and end test sessions in an environment. | When assigning this role, you should also assign the EnvironmentUser role. |
| DFFlowUser | Grants permission to view and monitor deployments for the environment. | When assigning this role, you should also assign the EnvironmentUser role. |
| DFProjectCreator | Grants permission to create a Cloudera DataFlow Project within a given Cloudera environment. | When assigning this role, you should also assign the EnvironmentUser role. |
| DWAdmin | Grants permission to activate/terminate or launch/stop/update services in Database Catalogs and Virtual Warehouses. | When assigning this role, you should also assign the EnvironmentUser role. |
| DWUser | Grants permission to view and use Cloudera Data Warehouse clusters within the environment. | When assigning this role, you should also assign the EnvironmentUser role. |
| MLAdmin | Grants permission to create and delete Cloudera AI workbenches within the environment. MLAdmins will also have Site Administrator access to all the workbenches provisioned within this environment. They can run workloads, monitor, and manage all user activity on these workbenches. | When assigning this role, you should also assign the EnvironmentUser role. |
|
MLBusinessUser |
Grants permission to view Cloudera AI workbenches for the environment. MLBusinessUsers are granted view-only access to applications that have been shared with them through projects inside a workbench. | When assigning this role, you should also assign the EnvironmentUser role. |
| MLUser | Grants permission to view Cloudera AI workbenches provisioned within the environment. MLUsers are also able to run workloads on all the workbenches provisioned within this environment. | When assigning this role, you should also assign the EnvironmentUser role. MLUsers currently require the SharedResourceUser role on the cloud credential used for the environment. |
| NotificationDistributionListAdmin | Grants permission to view, create, modify, and delete Distribution Lists for resource notifications. | |
| NotificationSubscriber | Grants all rights for managing individual resource subscriptions and viewing resource notifications | Ensure that you also have the required resource roles of the service to enable resource notifications. |
| ODAdmin | Grants permission to create, drop and administer the Cloudera Operational Databases for the environment. | When assigning this role, also assign the DataSteward or EnvironmentAdmin role. |
| ODUser | Grants permission to list and use Cloudera Operational Databases for the environment. | |
| Owner | Grants all permissions required to manage the environment in Cloudera including the ability to delete it. | The user who created the environment automatically gets the Owner role on the
scope of that environment. The Owner role on the scope of an environment allows you to delete that environment, but to access the environment's clusters (Data Lakes, Cloudera Data Hub clusters), you need EnvironmentAdmin or EnvironmentUser. |
Shared resource resource roles
Shared resources resource roles can be assigned on the scope of a specific shared resource such as a credential, cluster template, image catalog, proxy, or recipe. This does not include default shared resources (such as default cluster templates), which can be seen by everyone who is able to access the account.
These resource roles can be assigned from the Cloudera Management Console > Environments > Shared Resources > select a
shared resource > navigate to a specific shared resource > Manage Access, or from
CDP CLI using the cdp iam assign-user-resource-role command.
You can view all available resource roles and their CRNs by using the cdp iam
list-resource-roles command.
| Resource role | Description | Important considerations |
|---|---|---|
| SharedResourceUser | This role enables shared resource sharing with other users. It grants permission to access and use the specific shared resource such as a specific cluster template, credential, image catalog, proxy, or recipe. |
In order for a user to be able to use a provisioning credential for creating an environment, that user needs to be Owner or SharedResourceUser for that credential. |
| Owner | Grants all permissions required to manage the shared resource in Cloudera including the ability to delete it. | The user who created the shared resource automatically gets the
Owner role on the scope of that shared resource. In order for a user to be able to use a provisioning credential for creating an environment, that user needs to be Owner or SharedResourceUser for that credential. |
Cloudera Data Hub resource roles
Cloudera Data Hub resource roles can be assigned on the scope of a specific Cloudera Data Hub cluster.
These resource roles can be assigned from the Management Console > Data Hub clusters
> click on a cluster > Actions > Manage Access, or from CDP CLI using the
cdp iam assign-user-resource-role command.
cdp iam list-resource-roles
command. | Resource role | Description | Important considerations |
|---|---|---|
| DataHubAdmin (Technical Preview) | Grants administrative rights over the Cloudera Data Hub cluster, such as start, stop, scale, repair and grant or revoke access. | When assigning this role, you should also assign the EnvironmentUser role. Granting DataHubAdmin role does not grant Cloudera Manager admin rights or Cloudera Runtime service admin rights (for example NiFi Registry Admin). |
| Owner | Grants all permissions required to manage the Cloudera Data Hub in Cloudera including the ability to delete it. | The user who created the Cloudera Data Hub automatically
gets the Owner role on the scope of that Cloudera Data Hub. The Owner role does not grant any cluster-level permissions such as the ability to access or manage a cluster via Cloudera Manager. In order to access Cloudera Data Hub clusters running within an environment, you should assign EnvironmentUser to a user or a group on the scope of that environment. |
Classic cluster resource roles
Classic cluster resource roles can be assigned on the scope of a specific classic cluster.
These resource roles can be assigned from the Cloudera Management Console > Classic clusters > context menu > Manage
Access, or from CDP CLI using the cdp iam
assign-user-resource-role command.
cdp iam list-resource-roles command. | Resource role | Description | Important considerations |
|---|---|---|
| ClassicClusterAdmin | Grants permission to perform any operation on the cluster, except deleting it. Grants permission to assign access to the cluster to other users. | |
| ClassicClusterUser | Grants permission to access details of the cluster. | |
| Owner | Grants all permissions required to manage the classic cluster in Cloudera including the ability to delete it. | The user who created the classic cluster automatically gets the Owner role on the scope of
that classic cluster. The Owner role does not grant any cluster-level permissions such as the ability to access or manage a cluster via Cloudera Manager |
The Owner resource role
In addition to the aforementioned resource roles, Cloudera includes the Owner resource role.
The Owner role:
- Grants full permissions on a specific resource in the Cloudera Management Console, including the ability to delete the resource. It does not grant any cluster-level permissions such as the ability to access or manage a cluster via Cloudera Manager.
- Is assigned automatically on a resource to the user who created the resource. For example, if a user creates an environment called “test”, the user is assigned the Owner role for that environment.
- Allows a user to grant a set of rights (including the Owner role) on the resource to other users and groups. This is possible only if the user also has the IamUser or IamViewer role allowing to list users within the organization.
- Can be assigned at the scope of the following resources: an environment, Data Lake, shared resource (cluster template, recipe, image catalog, credential, proxy), Cloudera Data Hub cluster, or classic cluster
- Can be assigned using the same steps as other resource roles.
