Whenever you create a person or a bunch in CDP, it requires permissions to entry sources and use the Knowledge Companies.
This text is the fifth in a sequence of six:
CDP Public Cloud manages these permissions by roles, which management the scope of entry to the sources.
There are two essential varieties of roles:
- Account Roles: permissions to entry or carry out duties on all sources inside the CDP tenant
- Useful resource Roles: permissions to entry or carry out duties on a particular useful resource, reminiscent of an atmosphere
This text deal with setting the roles and the Ranger insurance policies required for the group of customers created in User management on CDP Public Cloud with Keycloak to finish the lab-article which closes this sequence.
By definition, a group in CDP is a set of person accounts which have the identical account and useful resource roles. Due to this fact we will handle all our wants on the group stage.
Three remarks earlier than beginning the configuration:
- No less than one person of the group has to log in to make the group seen on the CDP console.
- The PowerUser position is required to assign roles to a bunch.
- The EnvironmentAdmin position is required to set the Ranger Insurance policies.
Required Roles
To offer customers entry to all sources required to arrange the lab article, we have to assign them the next roles:
- Account Roles:
- PowerUser
- DFCatalogAdmin
- DFCatalogViewer
- Useful resource Roles:
- DWAdmin
- DWUser
- DFFlowAdmin
- DFFlowUser
- DEUser
As well as, we have to set the Knowledge Entry Position on the IDBroker Mappings to make sure person functions can entry the Knowledge Lake.
As in CDP Public Cloud deployment on AWS, the position configuration might be executed through the Cloudera internet interface or the CDP CLI. Each approaches are lined.
Configuring Roles utilizing the CDP Internet Interface
This strategy is really helpful in case you are new to CDP. It’s slower however offers you a greater concept of the configuration course of. In the event you didn’t set up and configure the CDP CLI and the AWS CLI as described in Introduction to end-to-end data lakehouse architecture with CDP, that is additionally your solely possibility.
If you wish to go sooner and use the terminal to set the roles, scroll all the way down to the Configuring roles from the Terminal part.
Be aware: You continue to want to make use of the CDP console to configure the Ranger insurance policies since this process can’t be achieved utilizing the CDP CLI.
To set the Account Roles:
-
Log in to the CDP console and choose Administration Console
-
Navigate to Person Administration > Teams > Your group identify
-
Choose Roles and click on Replace Roles
-
Choose the account roles of the list above and click on Replace
-
It is best to get the next
To set the Useful resource Roles:
-
Log in to the CDP console and choose Administration Console
-
Navigate to Environments > Your atmosphere
-
On the highest proper nook choose Actions and click on Handle Entry
-
Choose the Entry tab, write your group identify within the search field
-
Choose the useful resource roles of the list above and click on Replace
-
The final step is to synchronize the customers with the atmosphere, due to this fact click on Synchronize Customers
-
Click on Synchronize Customers
To set IDBrokers Mappings:
-
Choose the IDBroker Mappings tab, click on Edit
-
Add Knowledge Entry Position
- Choose your group identify within the search field
- Copy the Knowledge Entry Position above
- Paste it into the Position area
- Click on Save and Sync
-
It is best to get the next
Configuring Roles from the Terminal
Deploying through the terminal is really helpful for skilled customers who wish to launch their atmosphere rapidly. You want to have the CDP CLI and the AWS CLI put in in your system as described within the CDP part 1: introduction to end-to-end data lakehouse architecture with CDP.
Configuration through the terminal requires the next steps:
- Set Account Roles
- Set Useful resource Roles
- Set IDBroker mappings
- Synchronize customers
Set Account Roles
To set the account roles, you want your group identify and the CRN of the roles you wish to assign. So as to take action, use the next instructions:
export CDP_GROUP_NAME=adaltas-students
export ACCOUNT_ROLES=(PowerUser DFCatalogAdmin DFCatalogViewer)
get_crn_account_role () choose(.crn
With all of the required variables outlined, you possibly can set the roles.
for role_name in "${ACCOUNT_ROLES[@]}"; do
cdp iam assign-group-role
--group-name ${CDP_GROUP_NAME}
--role $(get_crn_account_role ${role_name});
executed
There is no such thing as a quick suggestions if you happen to efficiently assign the roles. You possibly can validate with this command:
cdp iam list-group-assigned-roles --group-name $CDP_GROUP_NAME
Set Useful resource Roles
To set useful resource roles, you want the CRN of your CDP atmosphere, your group of customers, and the roles you wish to assign. So as to take action, use the next instructions:
export CDP_ENV_NAME=[your-environment-name]
export CDP_GROUP_CRN=$(cdp iam list-groups |jq --arg CDP_GROUP_NAME "$CDP_GROUP_NAME" '.teams[] | choose(.groupName==$CDP_GROUP_NAME).crn')
export CDP_ENV_CRN=$(cdp environments describe-environment --environment-name ${CDP_ENV_NAME} | jq -r .atmosphere.crn)
export RESOURCE_ROLES=(DWAdmin DWUser DFFlowAdmin DFFlowUser DEUser)
get_crn_resource_role () jq --arg CDP_RESOURCE_ROLE_NAME "$CDP_RESOURCE_ROLE_NAME" '.resourceRoles[]
With all of the required variables outlined, you possibly can set the roles.
for role_name in "${RESOURCE_ROLES[@]}"; do
cdp iam assign-group-resource-role
--group-name $CDP_GROUP_NAME
--resource-role-crn $(get_crn_resource_role ${role_name})
--resource-crn $CDP_ENV_CRN;
executed
There is no such thing as a quick suggestions if you happen to efficiently assign the roles. You possibly can validate with this command:
cdp iam list-group-assigned-resource-roles --group-name $CDP_GROUP_NAME
Set IDBroker mapping
To configure the IDBroker Mapping, you want info out of your AWS CloudFormation stack. Retrieve this info utilizing the next instructions:
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq .Account)
export CDP_RESOURCE_PREFIX=$(aws cloudformation describe-stacks --stack-name aws-${USER}-env | jq '.Stacks[].Parameters[] | choose(.ParameterKey=="prefix").ParameterValue')
export AWS_DATA_ADMIN_ROLE_ARN=arn:aws:iam::${AWS_ACCOUNT_ID}:position/${CDP_RESOURCE_PREFIX}-datalake-admin-role
export AWS_RANGER_AUDIT_ROLE_ARN=arn:aws:iam::${AWS_ACCOUNT_ID}:position/${CDP_RESOURCE_PREFIX}-ranger-audit-role
Now you possibly can set the Knowledge Entry Position to your group on the IDBroker Mappings.
Be aware: The next command updates ALL the IDBroker Mappings configuration, which is why each Knowledge Entry and Ranger Audit roles are required.
cdp environments set-id-broker-mappings
--environment-name $CDP_ENV_NAME
--data-access-role $AWS_DATA_ADMIN_ROLE_ARN
--ranger-audit-role $AWS_RANGER_AUDIT_ROLE_ARN
--mappings accessorCrn=$CDP_GROUP_CRN,position=$AWS_DATA_ADMIN_ROLE_ARN
Synchronize Customers and IDBroker Mappings
With all of the configuration executed, it’s time to synchronize each customers and IDBroker mappings along with your atmosphere.
cdp environments sync-all-users
--environment-name $CDP_ENV_NAME
cdp environments sync-id-broker-mappings
--environment-name $CDP_ENV_NAME
Configure Ranger insurance policies
There’s another layer of permissions to be configured to allow customers to finish the lab, Ranger insurance policies.
These insurance policies are on the Knowledge Warehouse service stage. As you will note within the subsequent article, customers have to create and question tables on the information warehouse.
All this configuration is completed through the Cloudera internet interface utilizing the Ranger console.
As a reminder, earlier than beginning, you want the Energy Person account position on CDP to comply with alongside.
-
Navigate to Knowledge Warehouse
-
In Overview, discover the Database Catalog title for your atmosphere, click on on the three vertical dots on the highest proper, and choose Open Ranger
-
Within the Ranger Service Supervisor, click on Hadoop SQL
-
Open coverage 9: all – database, desk, columns
- Add
{USER}
underneath Enable Circumstances, Choose Customers - Click on Save
- Add
-
Open coverage 11: all – storage-type, storage-url
- Add
{USER}
underneath Enable Circumstances, Choose Customers - Click on Save
- Add
Subsequent Steps: Arms-On Lab on a CDP Public Cloud Surroundings
Lastly, each customers and structure are prepared, so it’s time to let customers experiment with all of the managed providers of your AWS-hosted CDP Public Cloud Surroundings with the hands-on lab-article that closes this sequence.