Cloudera: Proxy Group Configuration

Arcadia Enterprise enables you to delegate LDAP sign-in authentication based on group assignment.

By default, Arcadia Enterprise proxy configuration delegates to all users. You can also configure a proxy user to delegate to one or more users. However, if your environment requires a proxy user to delegate to multiple users, it may be cumbersome to specify each user one by one. This feature allows the proxy user to delegate authority to a group of users.

Availability Notes:

This topic includes the following sections:

Configure Settings on Cloudera Interface

After Installing Arcadia Enterprise Using Cloudera Manager, perform the following steps on the Cloudera Manager interface, for proxy user and group configuration:

  1. Log into Cloudera Manager and click Clusters in the top navigation menu.
  2. Under Arcadia Enterprise, click Configuration in the top menu bar.
  3. On the Configuration page, under Filters > Scope, click Arcadia Analytics Engine.
  4. In the main area of the interface, in the search box, enter the text proxy and start the search.
  5. In the Proxy Group Configuration field, enter the username of the proxy user and the group to whom you are allowed to delegate. In our example, we entered arcadia=Group1, where proxy user is arcadia and the group to whom this proxy user is delegating to is Group1.

    You can also specify a list of groups, separated by a delimiter. Default delimiter is comma, which can be changed with the authorized_proxy_user_config_delimiter command.

    Command Syntax:
    <proxy_user>=<group1>,<group_2>,<group_3>; <proxy_user>=<group4>
    For example:
    arcadia=Group1,Group2;Group3; admin=Group4
  6. In the Proxy User Configuration field, delete the default value arcadia=* as this allows a superuser to delegate to all users. When you are configuring a proxy group, either leave this field blank, or specify a single user or multiple users, separated by a delimiter. Do not specify all users. In our example, we entered, arcadia=admin.
    Command Syntax:
    <proxy_user>=<user1>,<user_2>,<user_3>; <proxy_user>=<*>
    For example:
    arcadia=user1,user2,user3; admin=*
  7. Click Save Changes to save the configuration.
    Specifying a proxy user and a group
    Proxy Group Configuration
  8. To restart Arcadia Enterprise service and apply configuration changes, click the orange icon in the Arcadia Enterprise menu bar.

    clicking to restart Arcadia Enterprise service
    Restarting Arcadia Enterprise Service
  9. In the Restart Stale Services interface, click Restart Now to restart Arcadia Enterprise service.

    confirming restart of Arcadia Enterprise service
    Confirming Restart of Arcadia Enterprise Service

After Arcadia Enterprise service successfully restarts, your proxy group configuration is complete.

Example of Proxy Group Configuration on ArcViz

After configuring the proxy group configuration on Cloudera, let us demonstrate the access behavior of one of the users in Group1. In our example, one of our Group1 users is ldapuser1.

  1. Log into ArcViz with Username=ldapuser1 and Password=arcadia.

    To set up authentication for the delegated user in the group, configure username and password through LDAP.

  2. On the main navigation bar, click Data.
  3. In the main area, click the Connection Explorer tab.
  4. Select the default database.
  5. Select the cabrides dataset from the abbreviated list of datasets.
  6. A table with sample data appears under the Sample Data tab at the bottom of the screen. The proxy user arcadia is allowed to delegate to ldapuser1, therefore the user is able to access Arcadia services.
    Accessing Arcadia service
    Access Arcadia Service
  7. Now let's delete the proxy user and the delegated group, arcadia=Group1, from the Proxy Group Configuration field in the Cloudera Interface.

    As ldapuser1 is part of Group1, after deleting the setting, this user should not be able to access Arcadia services.

    Deleting arcadia=Group1 from the Proxy Group Configuration' field.
    Delete Proxy User and the Delegated Group
  8. Logout of Arcadia account.
    'labuser1' logging out
  9. Log in as ldapuser1 again, and repeat steps 1 - 5.
  10. An error message appears, User ' not authorized to delegate to 'ldapuser1'.

    The proxy user arcadia is not allowed to delegate to ldapuser1, therefore the user is unable to access Arcadia services.

    Displaying an error message
    No Access to the Group User