Identity and Access Management

Altus user accounts identify who can access services and components in Altus. Roles assigned to a user account determine the actions that the user can do in Altus.

Altus User Accounts

You can have the following accounts in Altus:
  • Altus Account Administrator
  • Altus User
  • Machine User

Altus Account Administrator

During the initial setup of the Altus subscription for a customer, Cloudera designates a user account as an Altus account administrator. An Altus account administrator has administrator privileges in Altus. The Altus account administrator user account cannot be managed within Altus. You must contact Cloudera support to add or to remove an account administrator from your Altus account.

As an account administrator, you have all privileges in Altus and can perform any task in Altus. You can set up users and assign roles and environments to users in Altus according to the tasks that they need to perform. You can set up another user as an Altus administrator by assigning the PowerUser role to the user. However, you cannot set up another user as an Altus account administrator.

An Altus account administrator requires a Cloudera user account. To be designated as an Altus account administrator, you must register for a Cloudera user account. To register for a Cloudera user account, go to the Cloudera Account Registration page and create an account.

Altus User

An Altus user must have a Cloudera user account. To get an Altus user account, you must register for a Cloudera user account. To register for a Cloudera user account, go to the Cloudera Account Registration page and create an account.

When an Altus user who is not an account administrator logs in to Altus for the first time, the user has limited privileges. An Altus administrator must assign an environment and appropriate roles to the user after the initial user login.

Use the following guidelines when you manage user accounts in Altus:
  • An Altus user account has an associated Cloudera user account. To delete the user account from Altus, send a request to Cloudera to delete the Cloudera account for the user.

    You can revoke permissions for an Altus user account but you cannot delete the account from within Altus.

  • When you revoke permissions for a user, ensure that you remove all the roles that grant the permissions that you want to revoke.
    To revoke all permissions granted to a user, complete the following steps:
    • Remove all roles assigned to the user.
    • Remove all environments assigned to the user.
    • Delete any access key created for the user.
  • A user who has a valid account in Altus but is not assigned any role can perform a limited number of tasks.
    A user who logs in to the Altus console without an assigned role or environment can perform only the following tasks:
    • Download the Altus client.
    • View the Altus documentation.
    • Create a support case.

Machine User

A machine user account provides programmatic access to Altus. Create a machine user account if you have an application that needs to access the Altus services with the CLI or the Altus SDK for Java. You can define the machine user account in your application to create and manage clusters and run jobs in Altus using the CLI or API commands.

You create and manage a machine user account within Altus. You must assign an API access key to a machine user account to enable it to access the Altus service with the CLI or Altus SDK for Java. You must assign roles to a machine user account to authorize it to perform tasks in Altus.

A machine user account does not have an associated Cloudera user account. You cannot use a machine user to log in to the Altus console.

Use the following guidelines when you manage user accounts in Altus:
  • When you create a machine user account, you assign roles and environments to the machine user account in the same way that you assign roles and environments to other user accounts. For more information about assigning roles and environments to a user account, see Setting Up User Access and Authorization.
  • When you revoke permissions for a machine user, ensure that you remove all the roles that grant the permissions that you want to revoke.
    To revoke all permissions granted to a machine user account, complete the following steps:
    • Remove all roles assigned to the machine user.
    • Remove all resources, including environments and resources, that are assigned to the machine user.
    • Delete any access key created for the machine user.
  • You can delete a machine user account in Altus.

    You can delete the machine user account on the Altus console or using the CLI. For more information about deleting a machine user account, see Deleting a Machine User Account.

Altus-Defined Machine User Account

Altus-defined machine user accounts are machine user accounts that Altus creates to perform specific operations. For example, when you enable the Workload Analytics option for an environment, Altus creates a machine user account to run the Telemetry Publisher to publish the job metrics for each cluster that uses the environment.

The name of an Altus-defined machine user account includes the cluster ID of the cluster for which the account is created and typically indicates the process that it is used for.

Altus uses the following Altus-defined machine user account:
Machine User Name Usage
dataeng-wa-publisher-ClusterID Runs the Workload Analytics process to publish analytics information for jobs that run in an Altus cluster.

Altus deletes the machine user accounts it creates when they are no longer needed. For example, when Altus creates a machine user to publish workload analytics for a cluster and the cluster is terminated, Altus deletes the machine user account and the roles and access key assigned to it.

You can view and manage all machine user accounts that are created in your Altus account, including Altus-defined machine user accounts. On the Altus console, the Altus-defined machine user accounts are listed with other user accounts on the Users page.

Creating a Machine User Account

You can create a machine user account and use it in an application to programmatically access the Altus API through the CLI.

Creating a Machine User Account on the Console
To create a machine user on the console:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM of the side navigation panel, click Users.

    The Users page displays the list of all Altus users.

  3. Click Create Machine User.
  4. On the Create Machine User window, enter a name for the machine user account.

    The machine user name can be an alphanumeric string of up to 128 characters. It can include underscores (_) and hyphens (-). The name must be unique within the Altus account.

  5. Click Create.
Creating a Machine User Account Using the CLI
You can use the following command to create a machine user account:
altus iam create-machine-user \
--machine-user-name=MachineUserName

After you create the machine user account, assign an access key and role to the machine user.

To assign an access key to the machine user account, use the following command:
altus iam create-machine-user-access-key \
--machine-user-name=MachineUserName
To assign a role to the machine user account, use the following command:
altus iam assign-machine-user-role \
--machine-user-name=MachineUserName\
--role=RoleName

The value for the role parameter can be the name or the CRN of the role.

If you want to use the machine user account to create clusters or run jobs, assign it an environment.

To assign an environment to the machine user account, use the following command:
altus iam assign-machine-user-resource-role \
--machine-user-name=MachineUserName\
--resource-crn=ResourceCRN \
--resource-role-crn=ResourceRoleCRN

The resource-crn is the CRN of the environment you want to assign to the machine user. The resource-role-crn is the CRN of a resource role associated with an environment, such as the DataEngUser role.

Deleting a Machine User Account

Before you delete a machine user account, verify that the machine user account is not used in an application. Altus does not check for associated processes before it deletes a machine user account. If you delete a machine user account that is used in an application, the application fails.

Deleting a Machine User Account on the Console
To delete a machine user account on the console:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, click IAM.

    The Users page displays the list of all Altus users.

  3. Go to the name of the machine user that you want to delete and click the Actions button.

    Make sure that the machine user account you plan to delete is not set up to run an Altus process.

  4. Select Delete Machine User.
  5. On the Confirm window, click OK to delete the machine user account.
Deleting a Machine User Account Using the CLI

Before you delete a machine user account, remove the assigned roles and access keys from the user account.

Run the commands to remove the role and access keys assigned to the machine user account and then delete the user.

To remove a role assigned to the machine user:
altus iam unassign-machine-user-role \
--machine-user-name=MachineUserName \
--role=RoleName
To remove a resource role assigned to the machine user:
altus iam unassign-machine-user-resource-role \
--machine-user-name=MachineUserName\
--resource-crn=ResourceCRN \
--resource-role-crn=ResourceRoleCRN
To remove an access key assigned to the machine user:
altus iam delete-access-key \
--access-key-id=IDOfAccessKeyAssignedToMachineUser
To delete the machine user account:
altus iam delete-machine-user \
--machine-user-name=MachineUserName

Roles and Resource Roles

A user requires permission to access resources and perform tasks in Altus. As an Altus administrator, you can assign a role to a user to give the user permission to perform tasks.

A policy defines the permissions associated with a role. It consists of policy statements that grant permissions to resources. The policy attached to a role determines the operations that the role allows the user to perform. When users attempt to perform operations that are not permitted in their assigned role, they get a permission denied error message.

A role that is associated with specific resources is called a resource role. This type of role gives permission to perform tasks on a specific resource, such as an Altus environment.

Altus provides the following types of roles:
Role

A role grants permissions to perform tasks in Altus that are not associated with a specific resource. You explicitly assign a role to a user account.

Altus has pre-defined roles for your use. You can assign a role or a combination of roles to give the user the appropriate permissions to complete tasks in Altus. You cannot modify the pre-defined Altus roles or the policies associated with the pre-defined roles.

Resource Role

A resource role grants permission to access and perform tasks using specific resources. You assign a resource role to a user account by selecting a combination of resource and resource role.

A resource role grants a user or group permission to access and perform tasks on a resource.

When you assign a resource role, you must specify the resource on which to grant the resource role permissions. For example, you can assign a user a resource role that grants permission on an environment. The user assigned the resource role can access and perform tasks on only the cloud provider resources described in the environment.

The resource role determines the tasks that the user can perform using the resources associated with the role. For example, the DataEngEnvironmentUser resource role assigned to a user allows a user to access and use the resources described in the environment associated with the resource role.

You cannot modify the pre-defined resource roles or the policies associated with the pre-defined resource roles.

Pre-Defined Altus Roles

Altus provides roles and resource roles with specific permissions that you can assign to users based on the tasks that they are allowed to perform in Altus. You can assign the roles to Altus users, machine users, and groups.

The scope of pre-defined roles and resource roles can vary. For example, a role might grant view access only to Altus Data Engineering clusters but not Altus Data Warehouse clusters. You might need to assign multiple roles to ensure that a user can perform all required tasks in Altus.

The following tables show the pre-defined roles and resource roles available in Altus that you can assign to Altus users, machine users, and groups:
Roles
The following table shows the pre-defined roles in Altus and the permissions that they grant:
Role Permissions
PowerUser Grants permission to perform all tasks on all resources.
IAMUser Grants the following permissions:
  • View all users in the Altus account.
  • View all access keys in the Altus account.
  • View all roles and resource roles available in the Altus account.
  • View the assigned roles and resource roles of all users in the Altus account.
  • Create an access key for the user's own use.
  • Activate, deactivate, or delete the user's own access key.
DataEngUser Grants the following permissions:
  • View all Altus Data Engineering clusters in the Altus account.
  • View all environments in the Altus account.
  • View all Altus Data Engineering jobs submitted by the user.
DatawareUser Grants the following permissions:
  • View all Altus Data Warehouse clusters in the Altus account.
  • View all environments in the Altus account.
SdxAdmin Grants the following permission:
  • Create and delete SDX namespaces in the Altus account.
Resource Roles

When you assign a resource role, you must specify the resource on which to grant the resource role permissions.

The following table shows the resource roles in Altus environments, the type of resource associated with the resource role, and the permissions that they grant to a user or group:

Resource Role Resource Permissions
DataEngEnvironmentUser Environment Grants the following permissions on the environment associated with the resource role:
  • Create or delete Altus Data Engineering clusters using the environment.
  • Submit, view, troubleshoot, and terminate jobs on any Altus Data Engineering cluster created using the environment.
DatawareClusterAdmin Environment Grants the following permissions on the environment associated with the resource role:
  • Create or delete Altus Data Warehouse clusters using the environment.
  • Get the cluster credentials for any Altus Data Warehouse cluster created using the environment.
DatawareClusterUser Environment Grants the following permission on the environment associated with the resource role:
  • Get cluster access credentials for any Altus Data Warehouse cluster created using the environment.
IamGroupAdmin Group Grants the following permission on the group associated with the resource role:
  • Add users to the Altus group associated with the role.
  • Remove users from the Altus group associated with the role.
DataEngNamespaceUser Namespace Grants the following permission on the SDX namespace associated with the resource role:
  • Use the SDX namespace with an Altus Data Engineering cluster.
DatawareNamespaceUser Namespace Grants the following permission on the SDX namespace associated with the resource role:
  • Use the SDX namespace with an Altus Data Warehouse cluster.

Setting Up User Access and Authorization

At a minimum, an Altus user who is not an administrator must be assigned a role and have access to an environment. Additionally, if the Altus user requires access to other Altus resources, such as an SDX namespace, the user needs the corresponding resource roles. To use the CLI, the user must also have an access key.

You must be an Altus administrator to assign roles and resource roles to users.

Altus provides pre-defined roles that you can assign to Altus users. Verify the tasks that a user must perform and assign roles appropriately. For more information about Altus roles, see Roles and Resource Roles.

Cloudera Altus manages access to Altus services through the CLI or API with an access key. Only a user with API access credentials can access Altus services through the CLI or API. You can generate an API access key for an Altus user to allow the user to use the CLI or the API.

To set up a user in Altus, complete the following tasks:
  1. Assign the user a role.
  2. Provide the user access to an environment and Altus resources.
  3. Generate an access key for the user

Assigning a Role

Assign roles to an Altus user to manage the tasks that the user can perform in Altus. You can assign multiple roles to users to provide them with the permissions they need to perform their required tasks.

To assign a role to a user:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Users.

    The Users page displays the list of all Altus users.

  3. Click the name of the user to whom you want to assign a role.

    The user details page displays information about the user.

  4. Click the Roles tab.
  5. Click Update Roles.
  6. On the Update Roles window, select the roles you want to assign to the user.

    To view the permissions that the role grants to the user, click Policies. The policy is displayed in JSON format.

    To remove a role from the user account, clear the selected role.

  7. Click Update.

    The roles that you select displays in the list of roles assigned to the user.

To remove a role from a user account, click Unassign Role next to the role that you want to remove. Click OK to confirm that you want to revoke the role permissions.

Assigning an Environment and Altus Resources

Assign a user a resource role to an Altus environment to grant the user access to the resources they need to create clusters and run jobs in the cloud provider account. An Altus user cannot create clusters or run jobs without access to cloud provider resources through the Altus environment.

In addition to an environment, a user might require access to other Altus resources. To provide a user access to an Altus resource, you must assign the user a role that grants access to the resource. For example, a user might need to create an Altus Data Engineering cluster with an SDX namespace. Assign the user the DataEngNamespaceUser resource role on the specific SDX namespace that the user needs to use.

You can also assign a resource role to a machine user. If a user or machine user is a member of an Altus group, you can assign the resource role to the group. Altus assigns the resource role to all members of the group.

To assign a resource role to a user or group:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. In the IAM section of the side navigation panel, click Users.

    To assign a resource role to a group, click Groups

    The Users page displays the list of all Altus users. Similarly, the Groups page displays the list of all Altus groups.

  3. Click the name of the user or group to which you want to assign a resource role.
  4. Click the Resources tab.
  5. Click Assign Resources.
  6. On the Update Resource Roles window, select the type of resource that you want to assign to the user or group.
    You can assign roles for the following types of resources:
    • Environment. Provides access to the cloud provider resources described in the selected environment.
    • Group. Allows a user to manage the members of the selected group.
    • Namespace. Allows a user to use the selected SDX namespace with a cluster.
  7. Select the specific resource to which you want to grant permission.

    The list of roles available for the resource displays.

  8. Select the resource role that you want to assign to the user or group and click Update Roles.

    You can select multiple resource roles. The resources roles that you select displays in the list of resource roles assigned to the user.

To remove access to a resource role from a user or group, select the user or group and go to the Resources tab. Review the list of assigned resources and click Remove Resource Role next to the resource role that you want to remove.

Generating an API Access Key

An Altus user account must have API access credentials to access Altus services through the CLI or API.

As an Altus administrator, you can generate an access key for a user account that does not have the IAMUser role.

To generate an API access key for an Altus user or machine user:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, click IAM.
  3. On the Users page, click the name of the user or machine user account for which you want to generate an access key.
  4. On the user account page, go to the Access Keys section and click Generate Access Key.

    Altus creates the key and displays the information on the screen. The following image shows an example of an Altus API access key as displayed on the Altus console:


  5. Copy the access key and private key to a text file and send it to the Altus user who requires it.

    The private key is a very long string of characters. Make sure that you copy the full string.

  6. Click OK to exit the access key window.

Examples of Role and Resource Assignment

To enable different users to perform different tasks, you must assign the proper role to the user account. If a user in Altus does not have the PowerUser role, you must assign the user the resource role of at least one environment. Otherwise, the user has limited permissions in Altus and cannot create clusters or submit jobs.

The following are examples of Altus users and the roles they would need to complete their tasks:
Administrator
An Altus administrator can access all resources and perform all tasks in Altus.

To set up a user as an Altus administrator, assign the PowerUser role to the user account.

Altus Data Engineering user
The Altus Data Engineering user can create Altus Data Engineering clusters and run jobs on the clusters.

To set up an Altus Data Engineering user, assign the following roles:

  • DataEngEnvironmentUser resource role for an environment.
  • DataEngUser role
  • DataEngNamespaceUser resource role for an SDX namespace (optional)
  • IAMUser role (optional)
Altus Data Warehouse user
The Altus Data Warehouse cluster user can access and send SQL requests to Altus Data Warehouse clusters but cannot create clusters.

To set up an Altus Data Warehouse user, assign the following roles:

  • DataWareClusterUser resource role for an environment.
  • DataWareUser role (optional)
  • DatawareNamespaceUser resource role for an SDX namespace (optional)
  • IAMUser role (optional)
Altus Data Warehouse cluster administrator
The Altus Data Warehouse cluster administrator can create and manage Altus Data Warehouse clusters.

To set up a user as an Altus Data Warehouse cluster administrator, assign a user the following roles:

  • DataWareClusterAdmin resource role for an environment.
  • DataWareUser role
  • IAMUser role (optional)
SDX namespace administrator
The SDX administrator can create and manage SDX namespaces. The SDX namespace administrator can also become a Sentry administrator for the cluster associated with the SDX namespace created by the SDX namespace administrator.

To set up a user as an SDX administrator, assign the SdxAdmin role to the user account.