Cloudera Docs

Configuring and Securing Atlas

Cloudera Manager manages Atlas as a service, automatically ensuring Atlas can communicate securely with its clients and the services it depends on. Use Cloudera Manager to manage additional Atlas settings; use Ranger to control user access in Atlas.

When you include Atlas as a service in a cluster, Cloudera Manager automatically configures the following settings:

  • Ranger plugin. Atlas uses Ranger to determine which users have access to perform actions in Atlas.
  • TagSync with Ranger. Atlas passes entity metadata for classifications to Ranger using a Kafka topic.
  • Access Policies in Ranger. Default policies are configured for the following users:
    • rangertagsync: the TagSync service users has read access to entity metadata, specifically to entity classifications to be used in Ranger tag-based policies.
    • beacon: the Data Plane service user has full access to entity metadata, classification and relationship creation, and the ability to import and export metadata from Atlas. These privileges allow integration between the Data Catalog (Data Steward Studio) and Atlas.
    • admin: the initial Cloudera Manager superuser has full access to all Atlas actions, including full access to entity metadata, classification and relationship creation, the ability to import and export metadata from Atlas, and the ability to save searches.
    • public: all users are granted access to read Atlas entity metadata and relationships (such as lineage).
    • {USER}: any user who successfully logs in to Atlas can save searches so they are available in subsequent Atlas sessions.
    You will probably want to update and add to these policies to include users and groups in your organization who will need access to Atlas actions.
  • TLS-enabled clusters. Cloudera Manager configures:
    • The option to enable TLS for Atlas (atlas.enableTLS)
    • Keystore file locations and passwords for encrypting client-server communication
    • Trust store location and password for the Atlas server to communicate as a client to other services such as HBase and Solr
    • Trust store location and password for the Atlas gateway role that passes information through Kafka topics.
  • Kerberos-enabled clusters. Cloudera Manager configures:
    • Principals for Atlas service users
    • Ranger policies to support authentication for Atlas server and hook communication to Kafka
    • Ranger policies to support authentication for the Atlas server to communicate with Solr and HBase