03-16-2018 03:57 PM
we are currently looking for possibilities of automatically rotating cloudera director credentials.
We have found that this seems possible over Rest API for instance: http://community.cloudera.com/t5/Cloudera-Manager-Installation/CDM-change-admin-password-using-rest-...
Are you aware of other possible ways for securely rotating the credetials? Maybe over ssh?
Credentials rotation over ssh could be more feasible in our environment, since we have solutions in place which could do this automatically (out-of-the-box).
Is there also a documentation of ALL priviliged accounts that might exist in cloudera? We would like to be aware of all those accounts in order to manage them accordingly.
Thanks and best regards, Alex
03-16-2018 04:16 PM
You mention "Cloudera Director" but then you pointed to a thread that discusses changing the Cloudera Manager password. I think you didn't intend to ask about "Director," but wanted to confirm with you.
All of Cloudera Manager and CDH's configuration is stored in Cloudera Manager's database (configured in /etc/cloudera-scm-server/db.properties). I am not sure how ssh could be used to make changes.
To use the Cloudera Manager API security, configure Cloudera Manager to listen on a TLS port so that all communication between curl and CM is encrypted.
You also asked about "privileged accounts" but we need some specifics to understand what you mean. What is a "privileged account"?
03-17-2018 03:39 AM
thank you very much for the quick response. It would actually be interesting for us to know both, rotating credentials for the cloudera manager as well as the cloudera director.
In our organization, we understand privileged accounts as those, which can carry out critical/administrative actions on the systems. For instance, root or admin accounts on operating systems our within applications.
So far we understand, that we might be able rotate credentials for the cloudera manager via Rest API according to this thread: http://community.cloudera.com/t5/Cloudera-Manager-Installation/CDM-change-admin-password-using-rest-...
For cloudera director, I understood from you last comment, that the credentials are being stored in a database? Can you suggest an approach to possibly rotate privileged accounts in that database? Maybe there is an api or would the best way just simply be to use the underlying database protocol cababilities (e.g. mysql, oracle, jdbc, etc).
Would this even make sense? Or putting it another way: Are there recommendations for managing and rotating privileged accounts for cloudera solutions that we can follow?
Thanks and best regards,