Cloudera Manager User Roles
Access to Cloudera Manager features is controlled by user accounts that specify an authentication mechanism and one or more user roles. User roles determine the tasks that an authenticated user can perform and the features visible to the user in the Cloudera Manager Admin Console. Documentation for Cloudera Manager administration and management tasks indicate user roles required to perform the task.
Displaying Roles for Current User Account Login
The user roles associated with a given login session are available at any time from the Cloudera Manager Admin Console menu. Assuming you are logged in to Cloudera Manager Admin Console, you can always verify the user roles associated with your current login as follows:
- Select My Profile from the username drop-down menu, where username is the name of the logged in account (such as admin). The My Profile pop-up window displays the Username, Roles, and the date and time of the Last Successful Login.
- Click Close to dismiss the message page.
User Roles
- Auditor
- View configuration and monitoring information in Cloudera Manager.
- View audit events.
- Read-Only
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- View events and logs.
- View replication jobs and snapshot policies.
- View YARN applications and Impala queries.
The Read-Only role does not allow the user to:- Add services or take any actions that affect the state of the cluster.
- Use the HDFS file browser.
- Use the HBase table browser.
- Use the Solr Collection Statistics browser.
- Limited Operator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Decommission hosts (except hosts running Cloudera Management Service roles).
- Perform the same tasks as the Read-Only role.
The Limited Operator role does not allow the user to add services or take any other actions that affect the state of the cluster.
- Operator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Stop, start, and restart clusters, services (except the Cloudera Management Service), and roles.
- Decommission and recommission hosts (except hosts running Cloudera Management Service roles).
- Decommission and recommission roles (except Cloudera Management Service roles).
- Start, stop, and restart KMS.
- Perform the same tasks as the Read-Only role.
The Operator role does not allow the user to add services, roles, or hosts, or take any other actions that affect the state of the cluster.
- Configurator
- View configuration and monitoring information in Cloudera Manager.
- Perform all Operator operations.
- Configure services (except the Cloudera Management Service).
- Enter and exit maintenance mode.
- Manage dashboards (including Cloudera Management Service dashboards).
- Start, stop, and restart KMS
- Perform the same tasks as the Read-Only role.
- Cluster Administrator - Use all of the functionality available in Cloudera Manager and perform all actions
except the following:
- Administer Cloudera Navigator.
- View replication schedules and snapshot policies.
- View audit events.
- Manage user accounts and configuration of external authentication.
- Manage Full Administrator accounts.
- Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- View the Directory Usage Report
- View the HBase Statistics Page
- BDR Administrator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Perform replication and define snapshot operations.
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- View the Directory Usage Report
- View the HBase Table Statistics Page
- Perform the same tasks as the Read-Only role.
- User Administrator
- View configuration and monitoring information in Cloudera Manager.
- View service and monitoring information.
- Manage user accounts and configuration of external authentication.
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- Perform the same tasks as the Read-Only role.
- Key Administrator
- View configuration and monitoring information in Cloudera Manager.
- Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
- Start, stop, and restart KMS
- Configure KMS ACLs
- Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
- Perform the same tasks as the Read-Only role.
- Full Administrator - Full Administrators have permissions to use all of the functionality available in Cloudera Manager and perform all actions on all clusters. Additionally, the Full Administrator can view the data related to Cloudera Manager, such as file metadata, snapshots, quotas, and file size. The Full Administrator cannot see things like the content of files stored by HDFS or other components.
The user roles and associated permissions are summarized as follows:
Permission User role |
View configuration and monitoring information |
Decommission |
Recommission |
Decommission |
Start, stop, |
Enter and |
Edit |
Create, modify, |
Administer |
Perform |
View |
Manage user |
Configure HDFS |
Perform all |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Full Administrator | ||||||||||||||
Key Administrator | ||||||||||||||
User |
||||||||||||||
Navigator |
||||||||||||||
BDR |
||||||||||||||
Cluster |
||||||||||||||
Configurator | ||||||||||||||
Operator | ||||||||||||||
Limited |
||||||||||||||
Read-Only | ||||||||||||||
Auditor |
Removing the Full Administrator User Role
Minimum Required Role: User Administrator (also provided by Full Administrator)
In some organizations, security policies may prohibit the use of the Full Administrator role. The Full Administrator role is created during Cloudera Manager installation, but you can remove it as long as you have at least one remaining user account with User Administrator privileges.
To remove the Full Administrator user role, perform the following steps.
- Add at least one user account with User Administrator privileges, or ensure that at least one such user account already exists.
- Ensure that there is only a single user account with Full Administrator privileges.
- While logged in as the single remaining Full Administrator user, select your own user account and either delete it or assign it a new user role.
- If the machine that the Cloudera Navigator roles are running on needs to be replaced, the Cluster Administrator will want to move all the roles running on that machine to a different machine. The Cluster Administrator can move any non-Navigator roles by deleting and re-adding them, but would need a Navigator Administrator to perform the stop, delete, add, and start actions for the Cloudera Navigator roles.
- In order to take HDFS snapshots, snapshots must be enabled on the cluster by a Cluster Administrator, but the snapshots themselves must be taken by a BDR Administrator.