User Access to Altus Data Warehouse Clusters

When you create a secure Altus Data Warehouse cluster, Altus creates an identity and authentication directory in the cluster for authentication of Altus users who access the cluster. Altus generates a user ID and password for each Altus user who has access to the Altus Data Warehouse cluster. The user ID and password are unique to the cluster. The identity and authentication service in the Altus Data Warehouse cluster uses the user ID and password to authenticate the user and allow access to the Altus Data Warehouse cluster.

Altus uses Sentry to provide user authorization in a secure Altus Data Warehouse cluster. It uses the users and groups in Altus to build the users and Sentry groups in the Altus Data Warehouse cluster. To have authorization to access data in the Altus Data Warehouse cluster, an Altus user must be a member of a group in Altus that has a corresponding Sentry group and roles in the cluster.

You create users and groups in Altus that you want to grant access to the Altus Data Warehouse cluster and then synchronize the users and groups with the cluster. The synchronization process adds the users to the Altus Data Warehouse cluster and creates corresponding Sentry groups. You create Sentry roles in the Altus Data Warehouse cluster and assign the roles to the groups. Altus stores the Sentry roles and permissions in the Sentry database associated with the SDX namespace for the Altus Data Warehouse cluster.

When an authorized user gets the cluster credentials or uses the Query Editor to access the Altus Data Warehouse cluster, Altus synchronizes the users in Altus with the users in the authentication directory and the groups in Altus with the Sentry groups in the cluster. You also have the option to manually start the user group synchronization for the Altus Data Warehouse cluster.

Setting Up User Access to an Altus Data Warehouse Cluster

You can enable multiple users to access a secure Altus Data Warehouse cluster that uses a configured SDX namespace.

Before you set up users to access the Altus Data Warehouse cluster, ensure that the Altus Data Warehouse cluster that you want to access supports multi-user access.

To create an Altus Data Warehouse Cluster for multi-user access, complete the following tasks:
  1. Create an Altus environment and enable the Secure Clusters option.

    For more information about the Altus environment options, see Environment Options.

    For more information about creating an environment, see Environment Setup for AWS or Environment Setup for Azure.

  2. Create a configured SDX namespace.

    When you create a configured SDX namespace, Altus creates an Altus group to be used as an Admin group for the Sentry server in the Altus Data Warehouse cluster. You, as the creator of the configured SDX namespace, are automatically a member of the SDX Sentry administrator group. You can also add users to the group and manage the group members.

    For more information about the SDX Sentry administrator group, see SDX Sentry Administrator Group.

    For more information about creating a configured SDX namespace, see Creating a Configured SDX Namespace.

  3. Create an Altus Data Warehouse cluster using the secure Altus environment and the configured SDX namespace.

    When you create the Altus Data Warehouse cluster, Altus adds the SDX Sentry admin group to the Sentry server in the cluster. As a member of the SDX Sentry admin group, you have the right to create and grant roles to the Sentry groups in the cluster.

    Altus stores the roles and permissions in the Sentry database associated with the configured SDX namespace. Any cluster that shares the same configured SDX namespace will have access to the roles and permissions in the shared Sentry database.

    For more information about creating an Altus Data Warehouse cluster, see Creating a Data Warehouse Cluster for AWS and Creating a Data Warehouse Cluster for Azure.

After you create the secure Altus Data Warehouse cluster, you can set up the sentry groups and roles to allow Altus users access the Altus Data Warehouse cluster.

To set up user access to an Altus Data Warehouse Cluster, complete the following tasks:
  1. Get your credentials for access to the Altus Data Warehouse cluster.

    When you get access credentials to the Altus Data Warehouse cluster, Altus synchronizes the SDX Sentry administrator group with the cluster.

    For more information about getting credentials for a cluster, seeGetting the Credentials for an Altus Data Warehouse Cluster.

    You can access the Altus Data Warehouse cluster after the synchronization completes.

  2. Set up Altus users to access the Altus Data Warehouse cluster.

    Create groups in Altus for users who can access the Altus Data Warehouse cluster. Then you can use the Query Editor in Altus to create roles and permissions in the Altus Data Warehouse cluster and assign the roles to the groups.

    For more information about setting up users to access an Altus Data Warehouse cluster, see Setting Up the Altus Data Warehouse Users and Groups.

  3. Users authorized to access the Altus Data Warehouse cluster can get their access credentials for the cluster.

    With their credentials, users can access the Altus Data Warehouse cluster through the Query Editor or connect to the cluster through a JDBC or ODBC connection from standard business intelligence tools.

    For more information about accessing an Altus Data Warehouse cluster, see Accessing an Altus Data Warehouse Cluster.

Setting Up the Altus Data Warehouse Users and Groups

Users who access an Altus Data Warehouse cluster must have a user account in Altus and belong to a group in Altus and in the Altus Data Warehouse cluster.

Create groups in Altus for users who access the account. Then synchronize the Altus groups with the Altus Data Warehouse cluster to generate corresponding Sentry groups in the Altus Data Warehouse cluster. Set up roles and permissions that provide the appropriate level of access to the Altus users and assign them to the groups.

To enable multiple Altus users to access the Altus Data Warehouse cluster, complete the following tasks:

  1. Create the users and groups in Altus.

    If you already have users and groups set up for the Data Warehouse cluster, you can skip these steps. Otherwise, complete the following steps:
    1. Create a group and add the users that require access to the Altus Data Warehouse cluster to the group.

      For example, you create a group named Finance and add user Jane Smith to the group.

      You can create multiple groups for different levels of access to the Altus Data Warehouse cluster, based on the data access requirements of users in your organization.

    2. Grant the group the DatawareClusterUserresource role for the environment used to create the Altus Data Warehouse cluster.

      Following the group example, grant the Finance group the DatawareClusterUser resource role for the secure environment that you used to create the Altus Data Warehouse cluster. User Jane Smith inherits the DatawareClusterUser resource role.

      With the DatawareClusterUser role, group members can access the data in an Altus Data Warehouse cluster but cannot create other clusters. You can grant the group the DatawareUser role to allow users in the group to view other Altus Data Warehouse clusters in the Altus account.

      For more information about Altus Data Warehouse roles and resource roles, see Pre-Defined Altus Roles.

  2. Synchronize the Altus Data Warehouse users and groups with the Altus Data Warehouse cluster.

    To make the users and groups available in Sentry, synchronize the Altus users and groups with the users and groups in the Altus Data Warehouse cluster.

    Using the example, the synchronization process adds the Finance group as a Sentry group to the Altus Data Warehouse cluster and adds the group member Jane Smith to the identity and authentication directory in the cluster.

    For more information about synchronizing users and groups, see User and Group Synchronization

  3. Create the Sentry roles and assign roles to the groups.

    You can use the query editor to set up the Sentry roles and permissions in the Altus Data Warehouse cluster.

    If you created the SDX namespace for the Altus Data Warehouse cluster, you are a member of the SDX Sentry administrator group, which Altus has added to the cluster as an admin group in the Sentry server. However, when you initially access the Altus Data Warehouse cluster, you do not have any permission to the cluster database. You must grant yourself all rights to the database to be able to manage user and group access to the database. Create a role with all rights to the database and assign the role to the SDX Sentry administrator group.

    With the appropriate administrative role, you can create additional roles and permissions and assign the roles to the Sentry groups created from the Altus groups during synchronization. Following the example, you would create a role with appropriate data access permissions and assign it to the Finance group. The role gives group member Jane Smith access to the data in the Altus Data Warehouse cluster.

    For information about the Sentry commands available managing authorization, see Managing the Sentry Service.

To revoke a user's access permission to an Altus Data Warehouse cluster:
  • Remove the user from all groups with the DatawareClusterAdmin or DatawareClusterUser resource role for the environment used to create the cluster
  • Synchronize the users and groups.

Accessing an Altus Data Warehouse Cluster

You can access the Altus Data Warehouse cluster through the Query Editor or connect to the cluster using JDBC or ODBC from standard business intelligence tools. You must have the DatawareClusterUser or DatawareClusterAdmin resource role for the environment used to create the Altus Data Warehouse cluster.

To access an Altus Data Warehouse cluster, complete the following steps:
  1. Get the cluster access credentials for the Altus Data Warehouse cluster.

    Altus synchronizes your cluster credentials with the Altus Data Warehouse cluster. The synchronization can take some time to complete. After you get the access credentials, you might need to wait a while before you can access the cluster.

    For more information about getting credentials for a cluster, see Getting the Credentials for an Altus Data Warehouse Cluster.

  2. Access the Altus Data Warehouse cluster using the Query Editor or through a JDBC or ODBC connection.

    If you access the Altus Data Warehouse cluster using the Query Editor, Altus logs in to the cluster with your credentials. You can create and run your queries against the database based on your assigned roles and privileges, without providing your access credentials.

    If you access the Altus Data Warehouse cluster using a JDBC or ODBC connection, you must include your credentials in your connection settings. Your access to the database from your client tool is based on your assigned roles and privileges.

Getting the Credentials for an Altus Data Warehouse Cluster

Altus generates a unique user ID and password for each user who has access to an Altus Data Warehouse cluster. The user credentials are unique to each cluster. If you have access to multiple Altus Data Warehouse clusters, Altus generates a unique user ID and password for you for each Altus Data Warehouse cluster.

You use the same credentials for a cluster until the cluster is terminated. You can view your credentials at any time.

To get access credentials for an Altus Data Warehouse cluster, you must be an Altus administrator or have the DatawareClusterAdmin or DatawareClusterUser resource role for the Altus environment used to create the cluster.

To get credentials for an Altus Data Warehouse cluster:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, go to the Data Warehouse section and click Clusters.
  3. Click the name of the cluster for which you need access credentials.
  4. Click Actions and select Display Access Information.

    The Cluster Access Information window displays the user name and password you can use to access the Altus Data Warehouse cluster. It also displays the IP address for the Impala coordinator node.

    Altus provides a copy icon so you can easily copy your cluster credentials.

  5. Click Close.

User and Group Synchronization

To enable Altus users and groups to access an Altus Data Warehouse cluster, you must synchronize them with the users and Sentry groups in the Altus Data Warehouse cluster.

Altus performs the synchronization for a specific Altus Data Warehouse cluster. During synchronization, Altus sends the authorized Altus user credentials and groups to the Altus Data Warehouse cluster. Altus updates the user and group mapping in the cluster to match the list of authorized Altus users and groups.

Altus synchronizes an Altus user account with the Altus Data Warehouse cluster based the user authorization:
  • Altus determines whether a user account is authorized to access an Altus Data Warehouse cluster based on the resource roles assigned to the user.

    A user is authorized to access an Altus Data Warehouse cluster if the user is assigned or belongs to a group that is assigned the DatawareClusterAdmin or DatawareClusterUser resource role for the Altus environment used to create the cluster.

    Altus includes all authorized user accounts in the synchronization.

  • Altus generates a user ID and password for each user account that is authorized to access an Altus Data Warehouse cluster.

    Altus includes the user IDs and passwords for all authorized users in the synchronization.

  • Altus determines the groups that a user belongs to.

    Altus includes all authorized users' groups in the synchronization.

The following events trigger user and group synchronization:
  • An Altus user displays the cluster credentials for the Altus Data Warehouse cluster.

    When you display your cluster credentials, Altus synchronizes your user account and credentials with the Altus Data Warehouse cluster.

  • An Altus user uses the Query Editor to access the Altus Data Warehouse cluster.

    When you access an Altus Data Warehouse cluster through the Query Editor, you do not need to provide your credentials. Altus automatically logs in to the cluster with your credentials. Altus verifies whether you have access credentials for the cluster. If you do not yet have credentials for the cluster, Altus generates a user ID and password for you and synchronizes your user account with Altus Data Warehouse cluster.

    If your group membership changes after the Query Editor synchronizes your user account, you must manually initiate the user group synchronization to update the Altus Data Warehouse cluster.

  • An Altus user manually starts the synchronization process.

    You can initiate the user group synchronization on the Altus console.

    If you set up users and groups to access an Altus Data Warehouse cluster, synchronize the Altus users and groups with the cluster. If you revoke a user's access to an Altus Data Warehouse cluster, synchronize the users and groups.

    For more information about synchronizing users and groups, see Synchronizing Users and Groups.

To get access credentials for a cluster, use the Query Editor, or start the synchronization, you must be an Altus administrator or have the DatawareClusterAdmin or DatawareClusterUser resource role for the Altus environment used to create the cluster.

Synchronizing Users and Groups

On the Altus console, you can manually start the user and group synchronization for an Altus Data Warehouse cluster.

To start the user and group synchronization for an Altus Data Warehouse cluster:
  1. Sign in to the Cloudera Altus console:

    https://console.altus.cloudera.com/

  2. On the side navigation panel, go to the Data Warehouse section and click Clusters.
  3. Click the name of the cluster for which you need access credentials.

    The cluster detail page shows the configuration and details of the cluster. On the right panel of the page, Altus displays the status and the date and time of the last user group synchronization for the cluster.

  4. On the right panel of the page, click Sync Users.

    Altus starts the synchronization process. The synchronization process can take some time. When the process completes, Altus displays the status and the start and end times of the synchronization.