Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

deploy Cloudbreak cluster on Azure without admin or co-admin permissions

Solved Go to solution

deploy Cloudbreak cluster on Azure without admin or co-admin permissions

Rising Star

In Cloudbreak, there are two ways to launch clusters on Azure:

  • interactive login: requires admin or co-admin credentials on Azure. I don't have these permissions.
  • app based: can deploy a cluster using an existing 'Contributor' role.

Cloudbreak requires the following attributes in order to launch a cluster using the app based method: subscription id, tenant id, app id, and password. Here's what we did to get them:

# login
az login
# create resource group
az group create --name woolford --location westus
# subscription ID
az account show | jq -r '.id'
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx797
# tenant ID
az account show | jq -r '.tenantId'
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx85d
# create an application
az ad app create --display-name woolford --homepage https://woolford.azurehdinsight.net --identifier-uris https://woolford.azurehdinsight.net --password myS3cret!
# get the application ID
az ad app list --query "[?displayName=='woolford']" | jq -r '.[0].appId'
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxa31

We tried to deploy the a cluster with Cloudbreak and received the following error:

Failed to verify the credential: Status code 401, {"error":{"code":"InvalidAuthenticationToken","message":"The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant."}}

We then attempted to create the service the service principal:

az ad sp create-for-rbac --name woolford --password "myS3cret!" --role Owner (same outcome for --role Contributor)

... and received the following error:

role assignment response headers: {'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; charset=utf-8', 'Expires': '-1', 'x-ms-failure-cause': 'gateway', 'x-ms-request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxe01', 'x-ms-correlation-request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxe01', 'x-ms-routing-request-id': 'EASTUS:20171017T025354Z:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxe01', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'Date': 'Tue, 17 Oct 2017 02:53:53 GMT', 'Connection': 'close', 'Content-Length': '305'} The client 'awoolford@hortonworks.com' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxb67' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/7xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx797'.

Can you see what we're doing wrong? Is it possible to create a service principal for an application that I created (if I'm not an admin or co-admin)? If so, how?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: deploy Cloudbreak cluster on Azure without admin or co-admin permissions

Contributor

You should ask your azure administrator to run the "az ad sp create-for-rbac..." command for you. Only the admin users can assign roles.

It will create an application, principal for application and assign the role for the principal.

Then you can use the output of this command (it contains app-id) with cloudbreak.

View solution in original post

1 REPLY 1
Highlighted

Re: deploy Cloudbreak cluster on Azure without admin or co-admin permissions

Contributor

You should ask your azure administrator to run the "az ad sp create-for-rbac..." command for you. Only the admin users can assign roles.

It will create an application, principal for application and assign the role for the principal.

Then you can use the output of this command (it contains app-id) with cloudbreak.

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here