Configured SDX Namespaces

An Altus SDX namespace backed by Hive metastore and Sentry databases that you set up and manage is called a configured SDX namespace. You can create configured SDX namespaces for use with workloads that run on CDH clusters on the cloud, including clusters that you create in Altus and clusters that you create with Altus Director. All CDH clusters that share the same configured SDX namespace can use the metadata without needing to recreate the metadata during the initial access to the dataset.

When you create an Altus cluster, you specify a configured SDX namespace to be used by the cluster to access metadata. The configured SDX namespace can also be used by other CDH clusters on the cloud that access the same dataset. Any metadata generated by your cluster is also stored in the database associated with the configured SDX namespace and can be used by other CDH clusters that use the same configured SDX namespace.

An Altus cluster can read metadata from or write metadata to only one SDX namespace. Clusters that use the same SDX namespace share only the metadata of the dataset that they access. Each cluster uses its own computing power to access the data and execute jobs in the cluster.

SDX Administrator

To create or delete an SDX namespace, you must be an Altus administrator or have the SdxAdmin role.

If you are an Altus administrator, you can assign Altus users the SdxAdmin role so that they can create SDX namespaces to use for their clusters or to be shared with clusters created by other users. You can assign the SdxAdmin role to an Altus user, machine user, or an Altus group.

To assign the SdxAdmin role to a user or group:
  1. Sign in to the Cloudera Altus console:

  2. In the IAM section of the side navigation panel, click Users.

    To assign the SdxAdmin role to a group, click Groups

  3. Click the name of the user or group to which you want to assign a role.

    The user or group details page displays information about the user or group.

  4. Click the Roles tab.
  5. Click Update Roles.
  6. On the Update Roles window, select the SdxAdmin role.

    To view the permissions for the role, click Policies. The policy is displayed in JSON format.

  7. Click Update.

    The SdxAdmin role displays in the list of roles assigned to the user or group.

To revoke the SdxAdmin permissions of a user or group, click Unassign Role next to the SdxAdmin role that you want to remove. Click OK to confirm that you want to remove the SdxAdmin role from the user or group.

SDX Sentry Administrator Group

Altus uses Apache Sentry as the authorization service for user access to data and metadata stored in the Hive metastore database. When you create a configured SDX namespace, Altus creates an Altus group to add as an admin group for Sentry. You, as creator of the configured SDX namespace, are automatically a member of the group.

Altus also assigns your user account the IamGroupAdmin resource role for the group, which makes you the group membership administrator for the SDX Sentry administrator group. You can add users to or remove users from the group.

Although you can use the SDX Sentry administrator group the same way as other Altus groups, Cloudera recommends that you treat the SDX Sentry administrator group as a special-use group and manage it differently than other Altus groups.

Use the following guidelines to manage the SDX Sentry administrator group:
Any user who is a member of the SDX Sentry administrator group is a Sentry administrator for the configured SDX namespace.

When you add a user account to the SDX Sentry administrator group, the user becomes an SDX Sentry administrator and can grant privileges to users who access data and metadata stored in the configured SDX namespace. Likewise, if you remove a user from the SDX Sentry administrator group, you revoke the user's Sentry administrator permissions.

Make sure that the users that you add to the SDX Sentry administrator group are only those users that require the Sentry Admin group permissions to do their jobs.

Altus uses a naming convention for the SDX Sentry administrator group name.

Altus creates the SDX Sentry administrator group with the following naming convention:


Altus includes the first nine alphanumeric characters, excluding special characters, of the SDX namespace name in the SDX Sentry administrator group name.

Altus lists SDX Sentry administrator groups among other Altus groups in the in the Groups page. You can determine whether the group is an SDX Sentry administrator group and which SDX namespace it is associated with by looking at the group name.

When you delete the configured SDX namespace, Altus deletes the SDX Sentry administrator group.

Cloudera recommends that you do not delete the SDX Sentry administrator group. Instead, if you no longer require the Altus SDX namespace, delete the Altus SDX namespace. Altus deletes the namespace and the associated SDX Sentry administrator group.