Cloudera Docs

Syncing users to environments

When making any kind of user or group-related changes, an automatic user sync is performed to FreeIPA.

All user and group related changes with the exception of generating API access keys are synced to FreeIPA in each environment. For example, user sync is automatically run for the following actions:
  • Creating machine users
  • Deleting users and machine users
  • Assigning Cloudera roles or environment-level resource roles to users
  • Creating a group, assigning group membership, and deleting a group
  • Setting workload password
  • Managing user SSH keys

The automated user sync applies these changes to each available environment. In case of an unavailable environment, for example when an environment is being created, deleted, stopped, or started, the users are synced when the environment becomes available again.

The following processes are executed during the automatic user sync:
  • All control plane actors (users and machine users) with the correct environment accesses and rights are synced to FreeIPA.
  • All groups are synced to the FreeIPA.
  • All users with PowerUser role are synchronized to all environments.

Checking user sync status for an environment

Required roles:
  • EnvironmentAdmin, EnvironmentUser, and DataSteward can check the user sync status for a single environment.
  • PowerUser can check user sync status for all environments.

Steps

  1. Navigate to a specific environment in Cloudera Management Console.
  2. Check the status of the user sync using one of the following actions:
      • Click on Actions > Synchronize Users to FreeIPA.
      • Navigate to Summary > FreeIPA > Actions > Synchronize Users to FreeIPA.
      • Click on Actions > Manage Access, and then click the Synchronize Users button in the top right corner.
  3. The Sync State of the environment is shown.

    The status will be one of the following values:

    • Unknown: The user sync state is not known. This usually indicates that user sync has not been run for a new environment.
    • Up to date: All changes have been synced into this environment and the environment is up to date.
    • Synchronizing: There are outstanding changes that need to be synced into this environment.
    • Synchronization halted: User sync has been halted for this environment because the environment is not AVAILABLE. User sync will resume once the environment becomes AVAILABLE.
    • Environment is quarantined: User sync has consistently failed multiple times in a row. User sync will be retried once daily to see if the failure persists. Environments can be unquarantined by manually requesting user sync. If the failure consistently recurs, then the environment will be quarantined again.
From the CDP CLI, you can use the following commands:
cdp environments get-automated-sync-environment-status --environment-name [***ENVIRONMENT NAME***]
This command requests the sync status for all users and groups with one or more Cloudera environments specified in --environment-name [***ENVIRONMENT NAME***].

The status will be one of the following values:

  • UNKNOWN: The user sync state is not known. This usually indicates that user sync has not been run for a new environment.
  • SYNCED: All changes have been synced into this environment and the environment is up to date.
  • SYNC_PENDING: There are outstanding changes that need to be synced into this environment.
  • SYNC_HALTED: User sync has been halted for this environment because the environment is not AVAILABLE. User sync will resume once the environment becomes AVAILABLE.
  • QUARANTINED: User sync has consistently failed multiple times in a row. User sync will be retried once daily to see if the failure persists. Environments can be unquarantined by manually requesting user sync. If the failure consistently recurs, then the environment will be quarantined again.

Requesting user sync to all environments

Required role: PowerUser

Steps

  1. From the Cloudera web interface, you can perform user sync from the Cloudera Management Console > User Management.
  2. Click on Actions > Synchronize Users.
  3. Click Synchronize Users.
  4. Status is shown Running, then Completed.
From the CDP CLI, you can use the following command to synchronize all users and groups with all Cloudera environments: 
cdp environments sync-all-users
You can also use the following command to only sync the current user with all their Cloudera environments
cdp environments sync-user
You can use it if you are making changes to your own user, but you cannot use it to sync other users for the environment.

What to do next

Depending on how many users you have in Cloudera, it may take a few minutes for the user sync to complete. The sync operation times out after 30 minutes.

Requesting user sync to a selected environments

Required role: EnvironmentAdmin and DataSteward can perform user sync for a single environment. PowerUser can perform user sync for all environments.

Steps

  1. Navigate to a specific environment in Cloudera Management Console.
  2. Check the status of the user sync using one of the following actions:
      • Click on Actions > Synchronize Users to FreeIPA.
      • Navigate to Summary > FreeIPA > Actions > Synchronize Users to FreeIPA.
      • Click on Actions > Manage Access, and then click the Synchronize Users button in the top right corner.
    • Status is shown Running, then Completed.
From the CDP CLI, you can use the following command to synchronize all users and groups with all Cloudera environments: 
cdp environments sync-all-users --environment-names [***ENVIRONMENT NAME***]
This command requests the sync status for all users and groups with one or more Cloudera environments specified in --environment-names [***ENVIRONMENT NAME***].

What to do next

Depending on how many users you have in Cloudera, it may take a few minutes for the user sync to complete.

User synchronization error

When creating groups, the Cloudera does not check for the following conflicts:
  • New group name conflicts with an existing workload username.

    If a group is synced first (this also occurs if both user and group exist in CDP before the first sync), then user creation will fail because the private group cannot be created.

    You will see an error similar to ipa: ERROR: Unable to create private group. A group '<username>' already exists.

  • New workload username conflicts with an existing group name.

    If a user is synced first, then FreeIPA also creates a private group with the same name as the user. Group creation will fail because a group with that name already exists.

Both conflicts result in problems when matching group and usernames are synced to an environment.