When you create a user or a group in CDP, it requires permissions to access resources and use the Data Services. This article is the fifth in a series of six: CDP Public Cloud manages these permissions through roles, which control the scope of access to the resources. There are two main types of roles:
Account Roles: permissions to access or perform tasks on all resources within the CDP tenant
Resource Roles: permissions to access or perform tasks on a specific resource, such as an environment
This article focuses on setting the roles and the Ranger policies required for the group of users created in User management on CDP Public Cloud with Keycloak to complete the lab-article which closes this series. By definition, a group in CDP is a collection of user accounts that have the same account and resource roles. Therefore we can manage all our needs at the group level.
Three remarks before starting the configuration:
1. At least one user of the group has to log in to make the group visible on the CDP console.
2. The PowerUser role is required to assign roles to a group.
3. The EnvironmentAdmin role is required to set the Ranger Policies.
Required Roles
To give users access to all resources required to set up the lab article, we need to assign them the following roles:
Account Roles:
– PowerUser
– DFCatalogAdmin
– DFCatalogViewer
Resource Roles:
– DWAdmin
– DWUser
– DFFlowAdmin
– DFFlowUser
– DEUser
In addition, we need to set the Data Access Role on the IDBroker Mappings to ensure user applications can access the Data Lake.
As in CDP Public Cloud deployment on AWS, the role configuration can be done via the Cloudera web interface or the CDP CLI. Both approaches are covered.
Configuring Roles using the CDP Web Interface
This approach is recommended if you are new to CDP. It is slower but gives you a better idea of the configuration process. If you did not install and configure the CDP CLI and the AWS CLI as described in Introduction to end-to-end data lakehouse architecture with CDP, this is also your only option. If you want to go faster and use the terminal to set the roles, scroll down to the Configuring roles from the Terminal section.
Note: You still need to use the CDP console to configure the Ranger policies since this task cannot be accomplished using the CDP CLI.
To set the Account Roles:
1. Log in to the CDP console and select Management Console
2. Navigate to User Management > Groups > Your group name
3. Select Roles and click Update Roles
4. Select the account roles of the list above and click Update
5. You should get the following
To set the Resource Roles:
1. Log in to the CDP console and select Management Console
2. Navigate to Environments > Your environment
3. On the top right corner select Actions and click Manage Access
4. Select the Access tab, write your group name in the search box
5. Select the resource roles of the list above and click Update
The last step is to synchronize the users with the environment, therefore click Synchronize Users
Click Synchronize Users
To set IDBrokers Mappings:
1. Select the IDBroker Mappings tab, click Edit
2. Add Data Access Role
3. Select your group name in the search box
4. Copy the Data Access Role above
5. Paste it into the Role space
6. Click Save and Sync
7. You should get the following
Configuring Roles from the Terminal
Deploying via the terminal is recommended for experienced users who want to launch their environment quickly. You need to have the CDP CLI and the AWS CLI installed on your system as described in the CDP part 1: introduction to end-to-end data lakehouse architecture with CDP.
Configuration via the terminal requires the following steps:
1. Set Account Roles
2. Set Resource Roles
3. Set IDBroker mappings
4. Synchronize users
Set Account Roles
To set the account roles, you need your group name and the CRN of the roles you want to assign. In order to do so, use the following commands:
export CDP_GROUP_NAME=adaltas-students
export ACCOUNT_ROLES=(PowerUser DFCatalogAdmin DFCatalogViewer)
get_crn_account_role () {
CDP_ACCOUNT_ROLE_NAME=$1
CDP_ACCOUNT_ROLE_CRN=$(cdp iam list-roles |jq –arg CDP_ACCOUNT_ROLE_NAME “$CDP_ACCOUNT_ROLE_NAME” ‘.roles[] | select(.crn | endswith($CDP_ACCOUNT_ROLE_NAME))| .crn’)
echo $CDP_ACCOUNT_ROLE_CRN | tr -d ‘”‘
}
With all the required variables defined, you can set the roles.
for role_name in “${ACCOUNT_ROLES[@]}”; do \
cdp iam assign-group-role \
–group-name ${CDP_GROUP_NAME} \
–role $(get_crn_account_role ${role_name}); \
done
There is no immediate feedback if you successfully assign the roles. You can validate with this command:
cdp iam list-group-assigned-roles –group-name $CDP_GROUP_NAME
Set Resource Roles
To set resource roles, you need the CRN of your CDP environment, your group of users, and the roles you want to assign. In order to do so, use the following commands: