Securing Atlas

Cloudera Manager manages Atlas as a service, automatically ensuring Atlas can communicate securely with its clients and the services it depends on. Use Cloudera Manager to manage additional Atlas settings; use Ranger to control user access in Atlas.

When you include Atlas as a service in a cluster, Cloudera Manager automatically configures the following settings:

Ranger plugin. Atlas uses Ranger to determine which users have access to perform actions in Atlas.
TagSync with Ranger. Atlas passes entity metadata for classifications to Ranger using a Kafka topic.
Access Policies in Ranger. Default policies are configured for the following users:
- admin: the initial Atlas administrator user has full access to all Atlas actions, including full access to entity metadata, classifications, business metadata attributes, labels and relationship creation, the ability to create new entity, enumeration, structure, and relationship types, the ability to import, export, and purge metadata from Atlas, and the ability to save searches.
- dpprofiler: the Data Plane service user has the same extensive privileges as the admin user. These privileges allow integration between the Data Catalog (Data Steward Studio) and Atlas.
- beacon: the Replication Manager service user has the same extensive privileges as the admin user. These privileges allow Atlas to participate in cluster-level disaster recovery operations.
- rangertagsync: the TagSync service user has read access to entity metadata, specifically to entity classifications, business metadata, and labels to be used in Ranger tag-based policies.
- rangerlookup: the Ranger lookup service user has read access to entity metadata, specifically to entity classifications, business metadata, and labels to be used in enforcing Ranger policies.
- public: all users are granted access to read Atlas entity metadata, classifications, labels, and relationships (such as lineage).
- {USER}: any user who successfully logs in to Atlas can save searches so they are available in subsequent Atlas sessions.
You will probably want to update and add to these policies to include users and groups in your organization who will need access to Atlas actions.
TLS-enabled clusters. Cloudera Manager configures:
- The option to enable TLS for Atlas (atlas.enableTLS)
- Keystore file locations and passwords for encrypting client-server communication
- Trust store location and password for the Atlas server to communicate as a client to other services such as HBase and Solr
- Trust store location and password for the Atlas gateway role that passes information through Kafka topics.
note
In CDP Cloud, communication among services within the cluster is configured to use TLS by default. There is no need to manually configure TLS for Atlas in an SDX cluster.
Kerberos-enabled clusters. Cloudera Manager configures:
- Principals for Atlas service users
- Ranger policies to support authentication for Atlas server and hook communication to Kafka
- Ranger policies to support authentication for the Atlas server to communicate with Solr and HBase
note
In CDP Cloud, user authentication is managed using Free IPA and Kerberos. There is no need to manually configure authentication settings for Atlas.