10-02-2018 11:56 PM - last edited on 10-05-2018 10:11 AM by cjervis
Need to ask the following questions asap around Cloudera Admin access - documentation here https://www.cloudera.com/documentation/enterprise/5-10-x/topics/cm_sg_user_roles.html
10-03-2018 12:43 PM
Answers are in-line:
1. Does any Cloudera Admin roles have full data access – current assumption is Cluster Admin and Full Admin have it.
It depends what you mean by "full data access". CM does not have a feature that allows reading or writing files, but if a user has access to the File Browser in HDFS, they do have the ability to view file names, enable snapshots and set quotas. Note that there is no "download" ability in CM to actually get files... only view the files/directories. Only users with Full Admininstrator, Cluster Administrator, and BDR Administrator roles can view the File Browser.
2. If any Admin role has full data access – can we do without those roles. (e.g. - The documentation says that Full Admin can be deleted once Cloudera set is done.
It really depends on your needs and use cases, but you will probably need a Cluster Administrator at some point. It may be possible to devide up the privileges, but I'm not sure if all will be covered by other roles.
3. Can we add any restrictions/build privileges such that data set (which is highly sensitive) in a particular node is accessible only to users given access to that node and not accessible by any admins.
I'm not sure how to answer this since I am not sure what you mean by "node" and what service/access is being discussed.
I think what you are looking for is HDFS file encryption since that allows you to restrict access to data in the way you seem to imply. The Cloudera Manager file browser uses the "hdfs" user so, with file encryption, you could encrypt sensitive files and not allow the "hdfs" user to decrypt.
Please see these pages:
This is probably most relevant for your question:
Transparent Encryption will allow you to prevent access to your data by administrators.
10-04-2018 06:50 PM
Thanks so much for your reply.
Re: full data access - meant ability to see all data inside files (not just file names). Based on https://www.cloudera.com/documentation/enterprise/5-10-x/topics/cm_sg_user_roles.html
Cluster Admin and Full Admin have an ability to see ALL data. Is that correct?
10-09-2018 04:14 PM
No, Cluster and full Admins can only see file metadata, snapshots, quota, file size... metadata.
They cannot see file contents as Cloudera Manager does not read file contents for display.
If you wanted to do that, you could do that in Hue.
I have opened an internal Jira, OPSAPS-48080, so we can consider clarifying what we mean by "view all data"