Configured SDX Namespaces

An Altus SDX namespace backed by Hive metastore and Sentry databases that you set up and manage is called a configured SDX namespace. You can create configured SDX namespaces for use with workloads that run on clusters that you create in Altus and clusters that you create with Altus Director or Cloudera Manager.

When you create an Altus cluster, you can specify a configured SDX namespace to use with the cluster. The configured SDX namespace can also be used by other clusters in the cloud that access the same dataset. Any metadata generated by your cluster is stored in the Hive metastore and Sentry database associated with the configured SDX namespace and can be used by other clusters that share the same Hive metastore and Sentry database or that use the same configured SDX namespace.

An Altus cluster can read metadata from or write metadata to only one SDX namespace. Clusters that use the same SDX namespace share only the metadata of the dataset that they access. Each cluster uses its own computing power to access the data and execute jobs in the cluster.

SDX Administrator

To create or delete an SDX namespace, you must be an Altus administrator or have the SdxAdmin role.

If you are an Altus administrator, you can assign Altus users the SdxAdmin role so that they can create SDX namespaces to use for their clusters or to be shared with clusters created by other users. You can assign the SdxAdmin role to an Altus user, machine user, or an Altus group.

For more information about assigning the SdxAdmin role to a user or group, see Assigning a Role.

SDX Sentry Administrator Group

Altus uses Apache Sentry as the authorization service for user access to data and metadata stored in the Hive metastore database. When you create a configured SDX namespace, Altus creates an SDX Sentry administrator group for the SDX namespace. The SDX Sentry administrator group is an Altus group which Altus adds to the Sentry server as an administrator group. You, as creator of the configured SDX namespace, are automatically a member and the administrator of the Altus group.

Altus also assigns your user account the IamGroupAdmin resource role for the group, which makes you the group membership administrator for the SDX Sentry administrator group. You can add users to or remove users from the group.

Although you can use the SDX Sentry administrator group the same way as other Altus groups, Cloudera recommends that you treat the SDX Sentry administrator group as a special-use group and manage it differently than other Altus groups. For guidelines on using the SDX Sentry administrator group, see Guidelines for Using the SDX Sentry Administrator Group.

SDX Sentry Administrator Group Privileges

When you create a configured SDX namespace, you can select what privileges Altus grants the associated SDX Sentry administrator group.

By default, the SDX Sentry administrator group has administrative privileges in Sentry, which includes the privilege to create roles and grant privileges to groups in Sentry. You can select to grant the SDX Sentry administrator group ALL privileges in addition to the default administrative privileges.

On the Altus console, when you create a configured SDX namespace, Altus provides the following options for setting the SDX Sentry Administrator Group privileges:
  • Yes, automatically grant ALL Sentry privileges to the admin group

    When you select this option, Altus creates a role in Sentry with the same name as the SDX Sentry administrator group with ALL privileges on the Sentry server. Altus then assigns the role to the SDX Sentry administrator group.

    With this option, a member of the SDX Sentry administrator group can perform the following tasks:
    • Create roles and grant privileges to groups in Sentry.
    • Create and manage database schemas.

    You might want to select this option if you need to create databases immediately after you create the cluster you associate with the configured SDX namespace, such as for testing or demonstration purposes.

  • No, I will set up roles and privileges in Sentry

    When you select this option, Altus does not create a role for the SDX Sentry administrator group to grant ALL privileges on the Sentry server. A member of the SDX Sentry administrator group has Sentry administrative privileges but cannot create or manage database schemas.

    With this option, you set up and manage groups and roles in Sentry to grant database privileges.

    Select this option if you already have Sentry authorization policies in place and you do not want to provide additional privileges to new groups. For example, the Sentry database that you use for the configured SDX namespace is one that you created previously and already has groups and roles set up with authorization to specific databases and tables. You might not want to assign a role to the SDX Sentry administrator group that provides members of the group unrestricted access to all databases and tables.

Guidelines for Using the SDX Sentry Administrator Group

Use the following guidelines for using and managing the SDX Sentry administrator group:
Any user who is a member of the SDX Sentry administrator group is a Sentry administrator for the configured SDX namespace.

When you add a user account to the SDX Sentry administrator group, the user becomes a Sentry administrator and can grant privileges to users who access data and metadata stored in the configured SDX namespace. Likewise, if you remove a user from the SDX Sentry administrator group, you revoke the user's Sentry administrative privileges.

Make sure that the users that you add to the SDX Sentry administrator group are only those users that require the SDX Sentry administrator group privileges to do their jobs.

Altus uses a naming convention for the SDX Sentry Administrator Group name.

Altus creates the SDX Sentry administrator group with the following naming convention:

adminPartOfSDXNamespaceName_UniqueID

Altus includes the first nine alphanumeric characters, excluding special characters, of the SDX namespace name in the SDX Sentry administrator group name.

Altus lists SDX Sentry administrator groups among other Altus groups in the in the Groups page on the Altus console. You can determine whether the group is an SDX Sentry administrator group and which SDX namespace it is associated with by looking at the group name.

When you delete the configured SDX namespace, Altus deletes the SDX Sentry Administrator Group.

Do not delete the SDX Sentry administrator group. The configured SDX namespace requires its associated SDX Sentry Administrator Group to work with Sentry.

If you no longer require the configured namespace, delete the configured SDX namespace. Altus deletes the namespace and the associated SDX Sentry Administrator Group.