Support Questions

SnehasishRSC · ‎08-07-2019

Scenario:

I recently integrated Altus Director with Active Directory for role based authentication & authorisation. After implementation I noticed that the default admin credential (admin/admin) was not working anymore, which was expected.

My question is:

Is it possible/recommended to create another 'admin' user in Altus director (or in Active Directory) as a master credential just for back-up?
Do Altus Director have a Authentication Backend Order (eg. Database then External) like we have in Cloudera Manager?
Suppose, if a user is present in admin group as well as readonly group, then what role does Altus Director assumes for that user?

Thank you.

araujo · ‎08-07-2019

Is it possible/recommended to create another 'admin' user in Altus director (or in Active Directory) as a master credential just for back-up?

Rather than granting individual users the Admin role, when you integrate Director with Active Directory, you can map an Active Directory group to the Admin role by setting the following property:

lp.security.ldapConfig.activeDirectory.roleMapping.DirectorAdminGroupCn: <ADMIN_GROUP_CN>

With this, once you start Director, all the users in that AD group will already have admin privileges.

Do Altus Director have a Authentication Backend Order (eg. Database then External) like we have in Cloudera Manager?

As far as I know the lp.security.userSource parameter only accepts two values: LDAP and internal, and they are mutually exclusive.

Suppose, if a user is present in admin group as well as readonly group, then what role does Altus Director assumes for that user?

The union of the privileges, so the user will be an Admin.

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

araujo · ‎08-07-2019

Is it possible/recommended to create another 'admin' user in Altus director (or in Active Directory) as a master credential just for back-up?

Rather than granting individual users the Admin role, when you integrate Director with Active Directory, you can map an Active Directory group to the Admin role by setting the following property:

lp.security.ldapConfig.activeDirectory.roleMapping.DirectorAdminGroupCn: <ADMIN_GROUP_CN>

With this, once you start Director, all the users in that AD group will already have admin privileges.

Do Altus Director have a Authentication Backend Order (eg. Database then External) like we have in Cloudera Manager?

As far as I know the lp.security.userSource parameter only accepts two values: LDAP and internal, and they are mutually exclusive.

Suppose, if a user is present in admin group as well as readonly group, then what role does Altus Director assumes for that user?

The union of the privileges, so the user will be an Admin.

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

SnehasishRSC · ‎08-08-2019

lp.security.ldapConfig.activeDirectory.roleMapping.DirectorAdminGroupCn: <ADMIN_GROUP_CN>

As per the documentation and my understanding the proper syntax would be

lp.security.ldapConfig.activeDirectory.roleMapping.<Active_Directory_Group_CN>: <ADMIN> / <READONLY>

Please correct me if I'm wrong.

Thank you.

araujo · ‎08-08-2019

Yes, your understanding is correct.

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Cloudera Community

Support Questions

Altus Director integration with Active Directory