Configure Atlas file-based authentication

How to manage Atlas user authentication when using user credentials from a file.

Two of the most likely tasks you would perform related to file-based authentication for Atlas:

To enable or disable file-based authentication

  1. In Cloudera Manager, select the Atlas service, then open the Configuration tab.
  2. Display the authentication settings by typing "file" in the Search box.
  3. Check or uncheck the option Enable File Authentication.


  4. If you are enabling file-based authentication, review the location of the file that contains user credentials as specified in Path to Credentials for File-based Login.
    The default directory location indicated by ATLAS_USER_CREDENTIALS_CONF_PATH is the Atlas configuration directory in the Cloudera Runtime installation location, typically
    /opt/cloudera/parcels/CDH-version/etc/atlas/conf.dist

    If you need to change the location, specify an absolute path on the Atlas host. Alternatively you can reset the location for users-credentials.properties by setting the atlas.authentication.method.file.filename property in the Atlas Server Advanced Configuration Snippet (Safety Valve) for conf/atlas-application.properties. You can find the hostname where the Atlas service is running on the Instances tab in Cloudera Manager.

  5. Configure the list of users as described in step 6 in To add to the users list:.
  6. Click Save Changes.
  7. Restart the Atlas service.

To add to the users list:

This procedure requires that you restart the Atlas service.

  1. In Cloudera Manager, select the Atlas service, then open the Instances tab.
  2. Note the Hostname where the Atlas service is running. You'll need to be able to SSH into that host to update the user list.


  3. Open the Configuration tab.
  4. Type "file" in the search box to filter the property list.
  5. Find the user file.

    Look for the location of the users-credentials.properties file as set in the Path to Credentials for File-based Login property.

    The default directory location indicated by ATLAS_USER_CREDENTIALS_CONF_PATH is the Atlas configuration directory in the Cloudera Runtime installation location, typically
    /opt/cloudera/parcels/CDH-version/etc/atlas/conf.dist
    If you need to reset the location of the users-credentials.properties file, see Moving the Atlas user credentials file.
  6. Update the user list.
    SSH into the Atlas host. Edit the users file to include additional users in the following format:
    username=group::password-hash
    where the username is the string used in the login page, the group is one of ADMIN, DATA_STEWARD, or DATA_SCIENTIST. The password-hash is the password encoded using salting.
    To generate an encoded password, use the python cputil.py script provided in the Atlas installation, typically:
    /opt/cloudera/parcels/CDH-version/lib/atlas/bin

    Run the command as follows, making sure that variables used in the script are available:

    $ export ATLAS_HOME=/opt/cloudera/parcels/CDH-version/lib/atlas
    $ export ATLAS_CONF=<Atlas installation location>
    $ /opt/cloudera/parcels/CDH-version/lib/atlas/bin/cputil.py -g -u <username> -p <new secure password> -s

    The -s option ensures that the output includes only the hash value. The Atlas installation location is typically /opt/cloudera/parcels/CDH-version/etc/atlas/.

  7. Restart the Atlas service.

Moving the Atlas user credentials file

If you find you need to point Atlas to a different location for the users-credentials.properties file, you can reset the location using a property in an Atlas advanced configuration snippet.

  1. In Cloudera Manager, select the Atlas service, then open the Configuration tab.
  2. Display the advanced configuration settings by typing "safety" in the Search box.
  3. In the Atlas Server Advanced Configuration Snippet (Safety Valve) for conf/atlas-application.properties property, add the following property and set it to the absolute path to the users-credentials.properties file on the Atlas host. This path must be accessible to the Atlas service user (defaults to atlas).
    atlas.authentication.method.file.filename=/some/secure/location
  4. Restart the Atlas service.