Identity and Access Management

Altus user accounts identify who can access services and components in Altus. Roles assigned to a user account determine the actions that the user can do in Altus.

Altus User Accounts

You can have the following accounts in Altus:
  • Altus Account Administrator
  • Altus User
  • Machine User

Altus Account Administrator

During the initial setup of the Altus subscription for a customer, Cloudera designates a user account as an Altus account administrator. An Altus account administrator has administrator privileges in Altus. The Altus account administrator privileges cannot be managed within Altus. You must contact Cloudera support to add or to remove an account administrator from your Altus account.

As an account administrator, you have administrator privileges in Altus. You can assign roles and environments to users in Altus according to the tasks that they need to perform. You can set up another user as an Altus administrator by assigning administrator privileges to the user. However, you cannot set up another user as an account administrator.

An Altus account administrator requires a Cloudera user account. To be designated as an Altus account administrator, you must register for a Cloudera user account. To register for a Cloudera user account, go to the Cloudera Account Registration page and create an account: https://www.cloudera.com/user/registration.html.

Altus User

An Altus user requires a Cloudera user account. To get an Altus user account, you must register for a Cloudera user account. To register for a Cloudera user account, go to the Cloudera Account Registration page and create an account: https://www.cloudera.com/user/registration.html.

When an Altus user who is not an account administrator logs in to Altus for the first time, the user has limited privileges. An Altus administrator must assign an environment and appropriate roles to the user after the initial user login.

Use the following guidelines when you manage user accounts in Altus:
  • An Altus user account has an associated Cloudera user account. To delete the user account from Altus, send a request to Cloudera to delete the Cloudera account for the user.

    You can revoke permissions for an Altus user account but you cannot delete the account from within Altus.

  • When you revoke permissions for a user, ensure that you remove all the roles that grant the permissions that you want to revoke.
    To revoke all permissions granted to a user, complete the following steps:
    • Remove all roles assigned to the user.
    • Remove all environments assigned to the user.
    • Delete any access key created for the user.
  • A user who has a valid account in Altus but is not assigned any role can perform a limited number of tasks.
    A user who logs in to the Altus console without an assigned role or environment can perform only the following tasks:
    • Download the Altus client.
    • View the Altus documentation.
    • Create a support case.

Machine User

A machine user account provides programmatic access to Altus. Create a machine user account if you have an application that needs to access the Altus services with the CLI or the Altus SDK for Java. You can define the machine user account in your application to create and manage clusters and run jobs in Altus using the CLI or API commands.

You create and manage a machine user account within Altus. You must assign an API access key to a machine user account to enable it to access the Altus service with the CLI or Altus SDK for Java. You must assign roles to a machine user account to authorize it to perform tasks in Altus.

A machine user account does not have an associated Cloudera user account. You cannot use a machine user to log in to the Altus console.

Use the following guidelines when you manage user accounts in Altus:
  • When you create a machine user account, you assign roles and environments to the machine user account in the same way that you assign roles and environments to other user accounts. For more information about assigning roles and environments to a user account, see User Authorization Setup.
  • When you revoke permissions for a machine user, ensure that you remove all the roles that grant the permissions that you want to revoke.
    To revoke all permissions granted to a machine user account, complete the following steps:
    • Remove all roles assigned to the machine user.
    • Remove all environments assigned to the machine user.
    • Delete any access key created for the machine user.
  • You can delete a machine user account in Altus.

    You can delete the machine user account on the Altus console or using the CLI. For more information about deleting a machine user account, see Deleting a Machine User Account.

Altus-Defined Machine User Account

Altus-defined machine user accounts are machine user accounts that Altus creates to perform specific operations. For example, when you enable the Workload Analytics option for an environment, Altus creates a machine user account to run the Telemetry Publisher to publish the job metrics for each cluster that uses the environment.

The name of an Altus-defined machine user account includes the cluster ID of the cluster for which the account is created and typically indicates the process that it is used for.

Altus uses the following Altus-defined machine user account:
Machine User Name Usage
dataeng-wa-publisher-ClusterID Runs the Workload Analytics process to publish analytics information for jobs that run in an Altus cluster.

Altus deletes the machine user accounts it creates when they are no longer needed. For example, when Altus creates a machine user to publish workload analytics for a cluster and the cluster is terminated, Altus deletes the machine user account and the roles and access key assigned to it.

You can view and manage all machine user accounts that are created in your Altus account, including Altus-defined machine user accounts. On the Altus console, the Altus-defined machine user accounts are listed with other user accounts on the Users page.

Creating a Machine User Account

You can create a machine user account and use it in an application to programmatically access the Altus API through the CLI.

Creating a Machine User Account on the Console
To create a machine user on the console:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, click IAM.

    The Users page displays the list of all Altus users.

  3. Click Create Machine User.
  4. On the Create Machine User window, enter a name for the machine user account.

    The machine user name can be an alphanumeric string of up to 128 characters. It can include underscores (_) and hyphens (-). The name must be unique within the Altus account.

  5. Click OK.
Creating a Machine User Account Using the CLI
You can use the following command to create a machine user account:
altus iam create-machine-user 
--machine-user-name=MachineUserName

After you create the machine user account, assign an access key and role to the machine user.

To assign an access key to the machine user account, use the following command:
altus iam create-machine-user-access-key 
--machine-user-name=MachineUserName
To assign a role to the machine user account, use the following command:
altus iam assign-machine-user-role 
--machine-user-name=MachineUserName
--role=RoleName

If you want to use the machine user account to create clusters or run jobs, assign it a resource role.

To assign a resource role to the machine user account, use the following command:
altus iam assign-machine-user-resource-role 
--machine-user-name=MachineUserName
--resource-role ResourceRoleName

machine-user-name is a required parameter for all the commands.

Deleting a Machine User Account

Before you delete a machine user account, verify that the machine user account is not used in an application. Altus does not check for associated processes before it deletes a machine user account. If you delete a machine user account that is used in an application, the application fails.

Deleting a Machine User Account on the Console
To delete a machine user account on the console:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, click IAM.

    The Users page displays the list of all Altus users.

  3. Go to the name of the machine user that you want to delete and click the Actions button.

    Make sure that the machine user account you plan to delete is not set up to run an Altus process.

  4. Select Delete Machine User.
  5. On the Confirm window, click OK to delete the machine user account.
Deleting a Machine User Account Using the CLI

Before you delete a machine user account, remove the assigned roles and access keys from the user account.

Run the commands to remove the role and access keys assigned to the machine user account and then delete the user.

To remove a role assigned to the machine user:
altus iam unassign-machine-user-role 
--machine-user-name=MachineUserName
--role=RoleName
To remove a resource role assigned to the machine user:
altus iam unassign-machine-user-resource-role 
--machine-user-name=MachineUserName
--resource-role ResourceRoleName
To remove an access key assigned to the machine user:
altus iam delete-access-key 
--access-key-id=AccessKeyIdForMachineUser
To delete the machine user account:
altus iam delete-machine-user 
--machine-user-name=MachineUserName

machine-user-name is a required parameter for all the commands.

Roles and Resource Roles

A user requires permission to access resources and perform tasks in Altus. As an Altus administrator, you can assign a role to a user to give the user permission to perform tasks.

A policy defines the permissions associated with a role. It consists of policy statements that grant permissions to resources. The policy attached to a role determines the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.

A role that is associated with specific resources is called a resource role. This type of role can only be assigned through an Altus environment.

Altus provides the following types of roles for Data Engineering:
Role
A role grants permissions to perform tasks in Altus that are not associated with a specific environment. You explicitly assign a role to a user account.

Altus has pre-defined roles for your use. You can assign a role or a combination of roles to give the user the appropriate permissions to complete tasks. You cannot modify the pre-defined Altus roles or the policies associated with the pre-defined roles.

Altus has the following pre-defined roles:
  • IAMUser. Grants users permission to create access keys for their use, to view the list of assigned roles, and to view the list of all users in the Altus account.
  • DataEngUser. Grants a user permission to view all environments and clusters in the Altus account and to view the jobs that the user submits.
  • PowerUser. Grants a user permission to perform all tasks on all resources.

To set up a user as an Altus administrator, assign the PowerUser role to the user account.

To set up a user as a data engineering user, assign the DataEngUser and IAMUser roles and an environment to the user account.

Resource Role
A resource role grants permission to specific resources associated with an Altus environment. You assign a resource role to a user account through an Altus environment.

When you assign an environment to a user, you assign a resource role that determines the tasks that the user can perform within the environment. You can view the policy of a resource role only when you assign an environment to a user.

Altus provides the following resource role:
  • DataEngEnvironmentUser. Grants a user permission to create or delete clusters associated with the environment. Also grants permission to list, submit, or terminate jobs in the clusters associated with the environment.

If a user account in Altus does not have the PowerUser role, you must assign the user at least one environment. Otherwise, the user has limited permissions in Altus and cannot create clusters or submit jobs.

The combination of a role and an environment provides the authorization that an Altus user needs to perform tasks in Altus and access the resources in your cloud service provider account.

User Authorization Setup

You must be an Altus administrator to assign roles and environments to users. Assign roles and environments to user accounts and machine user accounts to enable users to perform tasks and to provide users access to resources.

Altus provides pre-defined roles that you can assign to Altus user accounts and machine user accounts. Verify the tasks that a user account must perform and assign roles appropriately. For more information about Altus roles, see Roles and Resource Roles.

Cloudera Altus manages access to Altus services through the CLI or API with an access key. Only a user or machine user account that has API access credentials can access Altus services through the CLI or API. You can generate an API access key for an Altus user or machine to allow the user or machine user to use the CLI or the API.

Assigning a Role

Assign roles to user accounts and machine user accounts to manage the tasks that users can perform in Altus. You can assign multiple roles to users to provide them with the permissions they need to perform their required tasks.

To set up a user as an Altus administrator, assign the PowerUser role to the user account.

To set up a user as a data engineering user, assign the DataEngUser and IAMUser roles and an environment to the user account.

To assign a role to a user:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, click IAM.

    The Users page displays the list of all Altus users.

  3. Click the name of the user to whom you want to assign a role and click Update Roles.
  4. In the Update Roles window, select that roles that you want to assign the user.

    To remove a role assignment, clear the selection.

    To view the permissions for the role, click Policies. The policy is displayed in JSON format.

  5. Click Update.

Assigning an Environment

Assign a user an Altus environment to grant the user cluster and job permissions in the environment. An Altus user cannot create clusters or run jobs without access to an Altus environment.

To assign an environment to a user:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, click Environments.

    The Environments page displays the list of all Altus environments and the region associated with each environment.

  3. Click the name of the environment that you want to assign to a user and verify that the environment has the resources that you want the user to access.

    The environment Details page shows the resources available in the environment

  4. Click Access.

    The Access page displays resource roles with rights to the resources in the environment. You can view the specific rights that each role provides.

    The page also displays the list of users who have access and who do not have access to the environment.

  5. In the Search Users field, enter a user name.

    Users whose user names match the search display in either the list of users who have access to the environment or the list of users who do not have access to the environment.

  6. To give access to a user who does not have access to the environment, select the name of the user and click Assign Role for the resource role you want the user to have.

    To remove access from a user, select the name of the user and click Unassign Role for the resource role you want to remove.

The resource role assignments take effect immediately. A number next to a user name indicates the number of resource roles assigned to the user.

Generating an API Access Key

An Altus user or machine user account must have API access credentials to access Altus services through the CLI or API.

As an Altus administrator, you can generate an access key for a user account that does not have the IAMUser role. You can generate an access key for a user account or a machine user account.

To generate an API access key for an Altus user or machine user:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, click IAM.
  3. On the Users page, click the name of the user or machine user account for which you want to generate an access key.
  4. On the user account page, go to the Access Keys section and click Generate Access Key.

    Altus creates the key and displays the information on the screen. The following image shows an example of an Altus API access key as displayed on the Altus console:


  5. Copy the access key and private key to a text file and send it to the Altus user who requires it.

    The private key is a very long string of characters. Make sure that you copy the full string.

  6. Click OK to exit the access key window.