CDP half 5: person permissions administration on CDP Public Cloud

Faheem

Whenever you create a person or a bunch in CDP, it requires permissions to entry sources and use the Knowledge Companies.

This text is the fifth in a sequence of six:

CDP Public Cloud manages these permissions by roles, which management the scope of entry to the sources.

There are two essential varieties of roles:

  • Account Roles: permissions to entry or carry out duties on all sources inside the CDP tenant
  • Useful resource Roles: permissions to entry or carry out duties on a particular useful resource, reminiscent of an atmosphere

This text deal with setting the roles and the Ranger insurance policies required for the group of customers created in User management on CDP Public Cloud with Keycloak to finish the lab-article which closes this sequence.

By definition, a group in CDP is a set of person accounts which have the identical account and useful resource roles. Due to this fact we will handle all our wants on the group stage.

Three remarks earlier than beginning the configuration:

  • No less than one person of the group has to log in to make the group seen on the CDP console.
  • The PowerUser position is required to assign roles to a bunch.
  • The EnvironmentAdmin position is required to set the Ranger Insurance policies.

Required Roles

To offer customers entry to all sources required to arrange the lab article, we have to assign them the next roles:

  • Account Roles:
    • PowerUser
    • DFCatalogAdmin
    • DFCatalogViewer
  • Useful resource Roles:
    • DWAdmin
    • DWUser
    • DFFlowAdmin
    • DFFlowUser
    • DEUser

As well as, we have to set the Knowledge Entry Position on the IDBroker Mappings to make sure person functions can entry the Knowledge Lake.

As in CDP Public Cloud deployment on AWS, the position configuration might be executed through the Cloudera internet interface or the CDP CLI. Each approaches are lined.

Configuring Roles utilizing the CDP Internet Interface

This strategy is really helpful in case you are new to CDP. It’s slower however offers you a greater concept of the configuration course of. In the event you didn’t set up and configure the CDP CLI and the AWS CLI as described in Introduction to end-to-end data lakehouse architecture with CDP, that is additionally your solely possibility.

If you wish to go sooner and use the terminal to set the roles, scroll all the way down to the Configuring roles from the Terminal part.

Be aware: You continue to want to make use of the CDP console to configure the Ranger insurance policies since this process can’t be achieved utilizing the CDP CLI.

To set the Account Roles:

  1. Log in to the CDP console and choose Administration Console




    management_console

  2. Navigate to Person Administration > Teams > Your group identify




    account_roles01

  3. Choose Roles and click on Replace Roles




    account_roles02

  4. Choose the account roles of the list above and click on Replace




    account_roles03

  5. It is best to get the next




    account_roles04

To set the Useful resource Roles:

  1. Log in to the CDP console and choose Administration Console




    management_console

  2. Navigate to Environments > Your atmosphere




    resource_roles01

  3. On the highest proper nook choose Actions and click on Handle Entry




    resource_roles02

  4. Choose the Entry tab, write your group identify within the search field




    resurce_roles03

  5. Choose the useful resource roles of the list above and click on Replace




    resource_roles04

  6. The final step is to synchronize the customers with the atmosphere, due to this fact click on Synchronize Customers




    resource_roles05

  7. Click on Synchronize Customers




    resource_roles05

To set IDBrokers Mappings:

  1. Choose the IDBroker Mappings tab, click on Edit




    idbroker_mapping01

  2. Add Knowledge Entry Position

    1. Choose your group identify within the search field
    2. Copy the Knowledge Entry Position above
    3. Paste it into the Position area
    4. Click on Save and Sync




    idbroker_mapping02

  3. It is best to get the next




    idbroker_mapping03

Configuring Roles from the Terminal

Deploying through the terminal is really helpful for skilled customers who wish to launch their atmosphere rapidly. You want to have the CDP CLI and the AWS CLI put in in your system as described within the CDP part 1: introduction to end-to-end data lakehouse architecture with CDP.

Configuration through the terminal requires the next steps:

  1. Set Account Roles
  2. Set Useful resource Roles
  3. Set IDBroker mappings
  4. Synchronize customers

Set Account Roles

To set the account roles, you want your group identify and the CRN of the roles you wish to assign. So as to take action, use the next instructions:


export CDP_GROUP_NAME=adaltas-students

export ACCOUNT_ROLES=(PowerUser DFCatalogAdmin DFCatalogViewer)


get_crn_account_role ()  choose(.crn 

With all of the required variables outlined, you possibly can set the roles.


for role_name in "${ACCOUNT_ROLES[@]}"; do 
cdp iam assign-group-role 
   --group-name ${CDP_GROUP_NAME} 
   --role $(get_crn_account_role ${role_name}); 
executed

There is no such thing as a quick suggestions if you happen to efficiently assign the roles. You possibly can validate with this command:

cdp iam list-group-assigned-roles --group-name $CDP_GROUP_NAME

Set Useful resource Roles

To set useful resource roles, you want the CRN of your CDP atmosphere, your group of customers, and the roles you wish to assign. So as to take action, use the next instructions:


export CDP_ENV_NAME=[your-environment-name]

export CDP_GROUP_CRN=$(cdp iam list-groups |jq --arg CDP_GROUP_NAME "$CDP_GROUP_NAME" '.teams[] | choose(.groupName==$CDP_GROUP_NAME).crn')

export CDP_ENV_CRN=$(cdp environments describe-environment --environment-name ${CDP_ENV_NAME} | jq -r .atmosphere.crn)

export RESOURCE_ROLES=(DWAdmin DWUser DFFlowAdmin DFFlowUser DEUser)

get_crn_resource_role () jq --arg CDP_RESOURCE_ROLE_NAME "$CDP_RESOURCE_ROLE_NAME" '.resourceRoles[] 

With all of the required variables outlined, you possibly can set the roles.


for role_name in "${RESOURCE_ROLES[@]}"; do 
cdp iam assign-group-resource-role 
   --group-name $CDP_GROUP_NAME 
   --resource-role-crn $(get_crn_resource_role ${role_name}) 
   --resource-crn $CDP_ENV_CRN; 
executed

There is no such thing as a quick suggestions if you happen to efficiently assign the roles. You possibly can validate with this command:

cdp iam list-group-assigned-resource-roles --group-name $CDP_GROUP_NAME

Set IDBroker mapping

To configure the IDBroker Mapping, you want info out of your AWS CloudFormation stack. Retrieve this info utilizing the next instructions:


export AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq .Account)
export CDP_RESOURCE_PREFIX=$(aws cloudformation describe-stacks --stack-name aws-${USER}-env | jq '.Stacks[].Parameters[] | choose(.ParameterKey=="prefix").ParameterValue')

export AWS_DATA_ADMIN_ROLE_ARN=arn:aws:iam::${AWS_ACCOUNT_ID}:position/${CDP_RESOURCE_PREFIX}-datalake-admin-role
export AWS_RANGER_AUDIT_ROLE_ARN=arn:aws:iam::${AWS_ACCOUNT_ID}:position/${CDP_RESOURCE_PREFIX}-ranger-audit-role

Now you possibly can set the Knowledge Entry Position to your group on the IDBroker Mappings.

Be aware: The next command updates ALL the IDBroker Mappings configuration, which is why each Knowledge Entry and Ranger Audit roles are required.


cdp environments set-id-broker-mappings 
  --environment-name $CDP_ENV_NAME 
  --data-access-role $AWS_DATA_ADMIN_ROLE_ARN 
  --ranger-audit-role $AWS_RANGER_AUDIT_ROLE_ARN 
  --mappings accessorCrn=$CDP_GROUP_CRN,position=$AWS_DATA_ADMIN_ROLE_ARN

Synchronize Customers and IDBroker Mappings

With all of the configuration executed, it’s time to synchronize each customers and IDBroker mappings along with your atmosphere.


cdp environments sync-all-users 
  --environment-name $CDP_ENV_NAME


cdp environments sync-id-broker-mappings 
  --environment-name $CDP_ENV_NAME

Configure Ranger insurance policies

There’s another layer of permissions to be configured to allow customers to finish the lab, Ranger insurance policies.

These insurance policies are on the Knowledge Warehouse service stage. As you will note within the subsequent article, customers have to create and question tables on the information warehouse.

All this configuration is completed through the Cloudera internet interface utilizing the Ranger console.

As a reminder, earlier than beginning, you want the Energy Person account position on CDP to comply with alongside.

  1. Navigate to Knowledge Warehouse




    cdp_datawarehouse

  2. In Overview, discover the Database Catalog title for your atmosphere, click on on the three vertical dots on the highest proper, and choose Open Ranger




    ranger_policies01

  3. Within the Ranger Service Supervisor, click on Hadoop SQL




    ranger_policies02

  4. Open coverage 9: all – database, desk, columns

    • Add {USER} underneath Enable Circumstances, Choose Customers
    • Click on Save




    ranger_policy9_00




    ranger_policy9_01




    ranger_policy9_02




    ranger_policy9_03

  5. Open coverage 11: all – storage-type, storage-url

    • Add {USER} underneath Enable Circumstances, Choose Customers
    • Click on Save




    ranger_policy11_00




    ranger_policy11_01




    ranger_policy11_02




    ranger_policy11_03

Subsequent Steps: Arms-On Lab on a CDP Public Cloud Surroundings

Lastly, each customers and structure are prepared, so it’s time to let customers experiment with all of the managed providers of your AWS-hosted CDP Public Cloud Surroundings with the hands-on lab-article that closes this sequence.

Leave a Comment