Overview

In the actual business processing scenarios, we can frequently encounter the scenarios in which the BMR cluster resources and the data and services in the cluster are shared among various organizations and departments. We should be able to control the fine-grained computing resources and access privileges in the cluster. For the management of the granularity of resources on cloud (cluster and operation), please refer to Identity Access and Management. The user management feature provides a unified security solution in four dimensions of account number, authentication, authorization and audit in the BMR cluster to satisfy the enterprise level fine-grained multi-tenant and security control requirements. And it supports the connection with the IAM account number and easy to use.

Manage the BMR Account

The BMR account is an identity set with the same user name connected by several modules such as LDAP, Kerberos, Linux and Ranger in the BMR cluster.

Note

• The identity associated with the BMR account is determined according to the components actually started in the cluster.
• Start Kerberos. Please refer to Cluster Security Mode.
• The LDAP is a component started by default supports the hadoop and hbase templates.
• The Ranger is an optional component when a cluster is created.

1.In the page of "Product Service -> Baidu MapReduce - Cluster List", click the cluster name to enter the page of cluster details. 2.In the page of cluster details, click the left "User Management" button to manage the BMR account. 3.Click "Add BMR Account", select an existing IAM user and create a BMR account with the same user name in the cluster for the user. 4.Click "Modify" to modify the password and remark information of the BMR account. 5.Click "Download Keytab" to download the corresponding keytab of the account, and use it when submitting operations in the cluster. 6.Click "Delete" to delete the BMR account. 7.Click "Configure Ranger Configuration privilege" at the upper right corner of the table to configure the components and data access privileges for the BMR account in the cluster. Please that if you do not configure privileges, you cannot use the components and access data by default. The initial account passwords of Ranger are admin and rangeradmin123. The administrator user should update it timely.

Note

• When the Ranger is enabled, you should set the related policies for the created BMR account in the Ranger, or you can't submit operations in the console and cluster. For the Ranger configuration details, please view Ranger Configuration.
• Only the admin account can configure privileges for other BMR accounts in the Ranger. Please timely modify and save the password.
• If you set the status of IAM user as "Disabled" in the identity access and management, the BMR account associated with the IAM user can't conduct any operation.