Security considerations

Redaction

Cloudera Manager's Telemetry Publisher collects and sends diagnostic information about job and query processes to Cloudera Observability. As this diagnostic data may contain sensitive information it is important to mask this data on your Workload cluster in Cloudera Manager before Telemetry Publisher sends it to Cloudera Observability. For more information on redaction, see the related links below.

Data in motion

Cloudera Observability and its services run on a secure Cloudera Observability framework. The transfer of diagnostic data to Cloudera Observability from your Workload cluster is completed using the Hypertext Transfer Protocol Secure (HTTPS) and the Transport Layer Security (TLS) protocols and an authentication process. Access to Cloudera Observability requires that each Workload cluster is configured with the Altus access and private keys in Cloudera Manager, which are used by Telemetry Publisher to authenticate the connection and identify the owner of the data. The access key identifies the user making the API call, and the request is signed by the key, using public key encryption. The signature is verified by the service and then the request is processed. You create your Telemetry Publisher access keys in Cloudera Observability, and add, delete, and disable them from Cloudera Manager on your Workload cluster. For more information on creating Telemetry Publisher access keys, see the related link below.

Data at rest

Your diagnostic data goes through several transformation processes before it is stored in the Cloudera Observability S3 bucket. The Cloudera Observability microservices that are granted access to the Cloudera Observability S3 bucket do so through the Amazon Web Services (AWS) Identity Access Management (IAM) service, which securely controls access to AWS resources and is managed by you.

Furthermore, the AWS S3 Server Side encryption is used to encrypt your data at the object level. A dedicated AWS Key Management System (KMS) key is used for the encryption, and only the Cloudera Observability microservices are allowed to access the key.

Data isolation

Cloudera Observability isolates data access at the customer account level, where each customer account has its own dedicated storage database that contains all the data owned by the account, including the account's clusters. This ensures that each account's data is only cross-cluster viewable and not cross-account viewable.

All read access requests to Cloudera Observability use authentication, which identifies the customer account of the user before directing the user's queries to the database associated with the account.

User access

Cloudera Observability supports resource access roles and privilege types that define who is entitled to access your Cloudera Observability Workload clusters and who is entitled to access and administer your Cloudera Observability Workload clusters. The user's identity and Cloudera Observability access rights, such as, the existence of a user account, the correct password, and the correct user role and access credentials, are validated each time a user logs in to the Cloudera Observability UI. For more information, see the related link below.