This is the documentation for Cloudera Manager 4.8.2.
Documentation for other versions is available at Cloudera Documentation.

Configuring External Authentication

  Note: This feature is available only with a Cloudera Enterprise license.
For other products, the following applies:
  • Cloudera Standard - the feature is not available.
  • Cloudera Enterprise Trial Edition - the feature will not be available after your trial license expires.
To obtain a license for Cloudera Enterprise, please fill in this form or call 866-843-7207. After you install your Cloudera Enterprise license, the feature will be available.

Cloudera Manager provides several different mechanisms for authenticating users for Cloudera Manager. You can enter users into Cloudera Manager's own database (the default) or configure Cloudera Manager to authenticate against an external authentication service. This can be an LDAP server (Active Directory or an OpenLDAP compatible directory) or you can specify another external service.

Further, you can configure Cloudera Manager so that it can use both methods of authentication (internal database vs. external service), and you can determine the order in which it performs these searches. You can also restrict login access to members of specific groups, and can specify groups whose members will automatically be given administrator access to Cloudera Manager.

For an OpenLDAP compatible directory, you have several options for searching for users and groups:

  • You can specify a single base Distinguished Name (DN) and then provide a "Distinguished Name Pattern" to use to match a specific user in the LDAP directory.
  • Search filter options let you search for a particular user based on somewhat broader search criteria – for example Cloudera Manager users could be members of different groups or organizational units (OUs), so a single pattern won't find all those users. Search filter options also let you find all the groups to which a user belongs, to help determine if that user should have login or admin access.

To configure an external authentication service for Cloudera Manager user authentication:

  1. From the Administration tab, select the Settings.
  2. In the left-hand column, select the External Authentication category.
  3. Select the order in which Cloudera Manager should attempt its authentication (Authentication Backend Order). Here you can choose to authenticate users using just one of the methods (using Cloudera Manager's own Database is the default), or you can set it so that if the user cannot be authenticated by the first method, it will attempt using the second method. Note that if you select External Only, users who are administrators in the Cloudera Manager database will still be able to log in with their database password. This is to prevent the system from locking everyone out if the authentication settings get misconfigured — such as with a bad LDAP URL.
  4. Go to the section below for the type of authentication you want to configure, and follow the steps to set the properties appropriately.

Configure User Authentication Using Active Directory

  1. For External Authentication Type select Active Directory.
  2. Provide the URL of the Active Directory server.
  3. Provide the NT domain to authenticate against.
  4. Optionally, provide a comma-separated list of LDAP group names in the LDAP User Groups property. If this list is provided, only users who are members of one or more of the groups in the list will be allowed to log into Cloudera Manager. If this property is left empty, all authenticated LDAP users will be able to log into Cloudera Manager. For example, if there is a group called "CN=ClouderaManagerUsers,OU=Groups,DC=corp,DC=com", add the group name ClouderaManagerUsers to the LDAP User Groups list to allow members of that group to log in to Cloudera Manager. The group names are case-sensitive.
  5. In the LDAP Administrator Groups property you can provide a list of groups whose members should be given administrator access when they log in to Cloudera Manager. (Note that admin users must also be a member of at least one of the groups specified in the LDAP User Groups property or they will not be allowed to log in.) If this is left empty, then no users will be granted administrator access automatically at login — administrator access will need to be granted manually by another administrator.

Configure User Authentication Using an OpenLDAP-compatible Server

  1. For External Authentication Type select LDAP.
  2. Provide the URL of the LDAP server and (optionally) the base Distinguished Name (DN) (the search base) as part of the URL — for example ldap://ldap-server.corp.com/dc=corp,dc=com.
  3. If your server does NOT allow anonymous binding: Provide the user DN and password to be used to bind to the directory. These are the LDAP Bind User Distinguished Name and LDAP Bind Password properties. By default, Cloudera Manager assumes anonymous binding.
  4. To use a single "Distinguished Name Pattern," provide a pattern in the LDAP Distinguished Name Pattern property.

    Use {0} in the pattern to indicate where the username should go. For example, to search for a distinguished name where the the uid attribute is the username, you might provide a pattern similar to uid={0},ou=People,dc=corp,dc=com. Cloudera Manager substitutes the name provided at login into this pattern and performs a search for that specific user. So if a user provides the username "foo" at the Cloudera Manager login page, Cloudera Manager will search for the DN uid=foo,ou=People,dc=corp,dc=com.

    Note that if you provided a base DN along with the URL, the pattern only needs to specify the rest of the DN pattern. For example, if the URL you provide is ldap://ldap-server.corp.com/dc=corp,dc=com, and the pattern is uid={0},ou=People, then the search DN will be uid=foo,ou=People,dc=corp,dc=com.

  5. You can also search using User and/or Group search filters, using the LDAP User Search Base, LDAP User Search Filter, LDAP Group Search Base and LDAP Group Search Filter settings. These allow you to combine a base DN with a search filter to allow a greater range of search targets.

    For example, if you want to authenticate users who may be in one of multiple OUs, the search filter mechanism will allow this. You can specify the User Search Base DN as dc=corp,dc=com and the user search filter as uid={0}. Then Cloudera Manager will search for the user anywhere in the tree starting from the Base DN. Suppose you have two OUs — ou=Engineering and ou=Operations — Cloudera Manager will find User "foo" if it exists in either of these OUs, i.e. uid=foo,ou=Engineering,dc=corp,dc=com or uid=foo,ou=Operations,dc=corp,dc=com.

    You can use a user search filter along with a DN pattern, so that the search filter provides a fallback if the DN pattern search fails.

    The Groups filters let you search to determine if a DN or user name is a member of a target group. In this case, the filter you provide can be something like member={0} where {0} will be replaced with the DN of the user you are authenticating. For a filter requiring the user name, {1} may be used, as memberUid={1}. This will return a list of groups this user belongs to, which will be compared to the list in the LDAP User Groups and LDAP Administrator Groups properties (discussed previously in the section about Active Directory).

Configure Cloudera Manager to use LDAPS instead of LDAP:

If the LDAP server's certificate has been signed by a trusted Certificate Authority (ie., VerSign, GeoTrust, etc.) the following steps may not be necessary.

  1. Copy the CA certificate file (ca.cer, etc.) to the Cloudera Manager server.
  2. Import the CA certificate(s) from the CA certificate file to the local keystore.

    Example: /usr/java/latest/bin/keytool -import -alias <nt_domain_name> -keystore /usr/java/latest/jre/lib/security/cacerts -file <path_to_cert>

      Note:
    • The default password for the cacerts store is changeit.

    • The alias can be any name (not just the domain name).

  3. Configure the LDAP URL in the Cloudera Manager configuration to use ldaps://<ldap_server> instead of ldap://<ldap_server>

Configure User Authentication Using an External Program

You can configure Cloudera Manager to use an external authentication program of your own choosing. Typically, this may be a custom script that interacts with a custom authentication service. Cloudera Manager will call the external program with the user name as the first command line argument. The password is passed over stdin. Cloudera Manager assumes the program will return the following exit codes:

  • 0 for the successful authentication of a regular user
  • 1 for the successful authentication of an admin user
  • a negative value for failure to authenticate.
  1. For External Authentication Type select External Program.
  2. Provide a path to the external program in the External Authentication Program Path property.