Cloudera Manager User Roles

Access to Cloudera Manager features is controlled by user accounts that specify an authentication mechanism and one or more user roles. User roles determine the tasks that an authenticated user can perform and the features visible to the user in the Cloudera Manager Admin Console. Documentation for Cloudera Manager administration and management tasks indicate user roles required to perform the task.

Displaying Roles for Current User Account Login

The user roles associated with a given login session are available at any time from the Cloudera Manager Admin Console menu. Assuming you are logged in to Cloudera Manager Admin Console, you can always verify the user roles associated with your current login as follows:

  1. Select My Profile from the username drop-down menu, where username is the name of the logged in account (such as admin). The My Profile pop-up window displays the Username, Roles, and the date and time of the Last Successful Login.
  2. Click Close to dismiss the message page.

User Roles

A Cloudera Manager user account can be assigned one of the following roles with associated permissions:
  • Auditor
    • View configuration and monitoring information in Cloudera Manager.
    • View audit events.
  • Read-Only
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • View events and logs.
    • View replication jobs and snapshot policies.
    • View YARN applications and Impala queries.
    The Read-Only role does not allow the user to:
    • Add services or take any actions that affect the state of the cluster.
    • Use the HDFS file browser.
    • Use the HBase table browser.
    • Use the Solr Collection Statistics browser.
  • Limited Operator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Decommission hosts (except hosts running Cloudera Management Service roles).
    • Perform the same tasks as the Read-Only role.

    The Limited Operator role does not allow the user to add services or take any other actions that affect the state of the cluster.

  • Operator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Stop, start, and restart clusters, services (except the Cloudera Management Service), and roles.
    • Decommission and recommission hosts (except hosts running Cloudera Management Service roles).
    • Decommission and recommission roles (except Cloudera Management Service roles).
    • Start, stop, and restart KMS.
    • Perform the same tasks as the Read-Only role.

    The Operator role does not allow the user to add services, roles, or hosts, or take any other actions that affect the state of the cluster.

  • Configurator
    • View configuration and monitoring information in Cloudera Manager.
    • Perform all Operator operations.
    • Configure services (except the Cloudera Management Service).
    • Enter and exit maintenance mode.
    • Manage dashboards (including Cloudera Management Service dashboards).
    • Start, stop, and restart KMS
    • Perform the same tasks as the Read-Only role.
  • Cluster Administrator - Use all of the functionality available in Cloudera Manager and perform all actions except the following:
    • Administer Cloudera Navigator.
    • View replication schedules and snapshot policies.
    • View audit events.
    • Manage user accounts and configuration of external authentication.
    • Manage Full Administrator accounts.
    • Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • View the Directory Usage Report
    • View the HBase Statistics Page
    Unless otherwise noted above, the Cluster Administrator can view the data related to Cloudera Manager, such as file metadata. The Cluster Administrator cannot see things like the content of files stored by HDFS and other components.
  • BDR Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Perform replication and define snapshot operations.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • View the Directory Usage Report
    • View the HBase Table Statistics Page
    • Perform the same tasks as the Read-Only role.
  • Navigator Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Administer Cloudera Navigator.
    • View audit events.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • User Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • View service and monitoring information.
    • Manage user accounts and configuration of external authentication.
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • Key Administrator
    • View configuration and monitoring information in Cloudera Manager.
    • Configure HDFS encryption, administer Key Trustee Server, and manage encryption keys.
    • Start, stop, and restart KMS
    • Configure KMS ACLs
    • Use the HDFS file browser, the HBase table browser, and the Solr Collection browser.
    • Perform the same tasks as the Read-Only role.
  • Full Administrator - Full Administrators have permissions to use all of the functionality available in Cloudera Manager and perform all actions on all clusters. Additionally, the Full Administrator can view the data related to Cloudera Manager, such as file metadata, snapshots, quotas, and file size. The Full Administrator cannot see things like the content of files stored by HDFS or other components.

The user roles and associated permissions are summarized as follows:

Cloudera Manager User Roles

Permission





User role

View configuration and monitoring information

Decommission
hosts

Recommission
hosts

Decommission
and
recommission
roles

Start, stop,
and restart
clusters, services,
and roles

Enter and
exit maintenance
mode

Edit
configurations

Create, modify,
and delete
dashboards
and charts

Administer
Cloudera
Navigator

Perform
replication and
snapshot operations

View
audit
events

Manage user
accounts and configuration
of external authentication

Configure HDFS
Encryption, administer
Key Trustee Server,
and manage
encryption keys

Perform all
administrative
functions not
enumerated here

Full Administrator
Key Administrator

User
Administrator

Navigator
Administrator

BDR
Administrator

Cluster
Administrator

Configurator
Operator

Limited
Operator

Read-Only
Auditor

Removing the Full Administrator User Role

Minimum Required Role: User Administrator (also provided by Full Administrator)

In some organizations, security policies may prohibit the use of the Full Administrator role. The Full Administrator role is created during Cloudera Manager installation, but you can remove it as long as you have at least one remaining user account with User Administrator privileges.

To remove the Full Administrator user role, perform the following steps.

  1. Add at least one user account with User Administrator privileges, or ensure that at least one such user account already exists.
  2. Ensure that there is only a single user account with Full Administrator privileges.
  3. While logged in as the single remaining Full Administrator user, select your own user account and either delete it or assign it a new user role.
A consequence of removing the Full Administrator role is that some tasks may require collaboration between two or more users with different user roles. For example:
  • If the machine that the Cloudera Navigator roles are running on needs to be replaced, the Cluster Administrator will want to move all the roles running on that machine to a different machine. The Cluster Administrator can move any non-Navigator roles by deleting and re-adding them, but would need a Navigator Administrator to perform the stop, delete, add, and start actions for the Cloudera Navigator roles.
  • In order to take HDFS snapshots, snapshots must be enabled on the cluster by a Cluster Administrator, but the snapshots themselves must be taken by a BDR Administrator.