Posts: 30
Registered: ‎08-27-2015

AD authentication with out a Cloudera Manager Group in AD

I am trying to configure Cloudera Manager to Authenticate over Active Directory. I read the document but i don`t find any option what i am looking for.


My requirement: The user should authenticate over AD and if that user does not exist in Cloudera Manager Local database then login should fail. 


I have only seen the option to make a group in AD and add the user to that AD group but i don`t want to get in this route.


Please let me know if any solution exists.

Cloudera Employee
Posts: 39
Registered: ‎12-14-2016

Re: AD authentication with out a Cloudera Manager Group in AD

Hi Somu,


If I’m understanding correctly, you’d like a user to be able to log-in only if they authenticate through AD and exists in the Cloudera Manager user database?


Cloudera Manager controls access through the use of roles. Is there a reason creating groups and assigning users to those groups is not a viable option? Just trying to better understand what the constraints are.


Posts: 30
Registered: ‎08-27-2015

Re: AD authentication with out a Cloudera Manager Group in AD

Dear H,


Yes you understood correctly. I only want to grant logon access to users who exists in both AD and Cloudera Manager Database. 


I understand creating groups in AD and assigning users to group what Cloudera suggest but We don`t want that route. In a big oraganization creating AD groups and creating new forms for new users to be part of AD group is a pain. At the end it all depneds up on AD admin, how many days he will take to assign a new user to that CM AD group.


We would like to overcome this issue and make the process simple.  The requirement what i am looking for is more secure than assigning an user to a AD group. 


Example: If the AD admin assigns a wronguser to AD group then that user can login to cloudera manager. 


It does not matter AD authentication is a Group Based  or an user exists in AD but it should validate that user exists in Cloudera Manager database or not.


This feature is available in HUE and many webbased apps , relational databases for security reason. Is there any workaround in CM with safetyvalve?