cloudera.cloud.env_idbroker module – Update ID Broker for CDP Environments

Note

This module is part of the cloudera.cloud collection (version 2.5.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cloudera.cloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cloudera.cloud.env_idbroker.

Synopsis

  • Update ID Broker mappings for CDP Environments for data access.

  • The module supports check_mode.

Requirements

The below requirements are needed on the host that executes this module.

  • cdpy

Parameters

Parameter

Comments

cdp_region

aliases: cdp_endpoint_region, endpoint_region

string

Specify the Cloudera Data Platform endpoint region.

Default: "default"

clear_mappings

aliases: set_empty_mappings

boolean

Flag to install an empty set of individual mappings, deleting any existing mappings.

Mutually exclusive with mappings.

Choices:

  • false ← (default)

  • true

data_access

aliases: data_access_arn, data

string

The cloud provider IAM role for data access.

Must be the cloud provider resource identifier

For AWS, it should be the ARN

For Azure, it should be the Resource ID

for GCP, it should be the Service Account fully qualified name

When creating a new set of data access mappings, this parameter is required.

debug

aliases: debug_endpoints

boolean

Capture the CDP SDK debug log.

Choices:

  • false ← (default)

  • true

mappings

list / elements=dictionary

ID Broker mappings for individual users and groups.

Does not include mappings for data access services.

Mutually exclusive with clear_mappings.

accessor

aliases: accessorCrn

string / required

The CRN of the actor or group.

role

aliases: roleCrn

string / required

The cloud provider role (e.g., ARN in AWS, Resource ID in Azure, Service Account in GCP) to which the actor or group is mapped.

name

aliases: environment

string / required

The name of the Environment.

profile

string

If provided, the CDP SDK will use this value as its profile.

ranger_audit

aliases: ranger_audit_arn, audit

string

The cloud provider role to which services that write to Ranger audit logs will be mapped

For AWS, it should be the ARN

For Azure, it should be the Resource ID

for GCP, it should be the Service Account fully qualified name

Note that some data access services also write to Ranger audit logs; such services will be mapped to the data_access role, not the ranger_audit role.

When creating a new set of data access mappings, this parameter is required.

ranger_cloud_access

aliases: ranger_cloud_access_arn, cloud

string

The cloud provider role to which the Ranger RAZ service will be mapped

For AWS, it should be the ARN

For Azure, it should be the Resource ID

for GCP, it should be the Service Account fully qualified name

This is required in RAZ-enabled environments.

sync

aliases: sync_mappings

boolean

Flag to sync mappings to the Environment’s Datalake(s).

If the mappings do not need to be synced or there is no Datalake associated with the Environment, the flag will be ignored.

Choices:

  • false

  • true ← (default)

verify_endpoint_tls

aliases: endpoint_tls

boolean

Verify the TLS certificates for the CDP endpoint.

Choices:

  • false

  • true ← (default)

Examples

# Note: These examples do not set authentication details.

# Create a fresh set of data access mappings for ID Broker
- cloudera.cloud.env_idbroker:
    name: example-environment
    data_access: arn:aws:iam::654468598544:role/some-data-access-role
    ranger_audit: arn:aws:iam::654468598544:role/some-ranger-audit-role

# Set the data access role for ID Broker on an existing environment
- cloudera.cloud.env_idbroker:
    name: example-environment
    data_access: arn:aws:iam::654468598544:role/some-data-access-role

# Set the Ranger audit role for ID Broker on an existing environment
- cloudera.cloud.env_idbroker:
    name: example-environment
    ranger_audit: arn:aws:iam::654468598544:role/some-ranger-audit-role

# Set some actor-to-role mappings for ID Broker on an existing environment
- cloudera.cloud.env_idbroker:
    name: example-environment
    mappings:
      - accessor: crn:altus:iam:us-west-1:1234:group:some-group/abcd-1234-efghi
        role: arn:aws:iam::654468598544:role/another-data-access-role

# Clear the actor-to-role mappings for ID Broker on an existing environment
- cloudera.cloud.env_idbroker:
    name: example-environment
    clear_mappings: yes

# Don't sync the mappings for ID Broker to the environment's datalakes
- cloudera.cloud.env_idbroker:
    name: example-environment
    mappings:
      - accessor: crn:altus:iam:us-west-1:1234:group:some-group/abcd-1234-efghi
        role: arn:aws:iam::654468598544:role/another-data-access-role
    sync: no

# Now sync the mappings for the ID Broker once the environment has a datalake
- cloudera.cloud.env_idbroker:
    name: example-environment
    sync: yes

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

idbroker

dictionary

Returns the mappings and sync status for the ID Broker for the Environment.

Returned: always

dataAccessRole

string

The cloud provider role to which data access services will be mapped (e.g. an ARN in AWS, a Resource ID in Azure).

Returned: always

mappings

list / elements=dictionary

ID Broker mappings for individual actors and groups. Does not include mappings for data access services.

Returned: when supported

accessorCrn

string

The CRN of the actor (group or user) mapped to the cloud provider role.

Returned: on success

role

string

The cloud provider identitier for the role.

Returned: on success

mappingsVersion

string

The version of the mappings.

Returned: always

Sample: "AWS"

rangerAuditRole

string

The cloud provider role to which services that write to Ranger audit logs will be mapped (e.g. an ARN in AWS, a Resource ID in Azure).

Note that some data access services also write to Ranger audit logs; such services will be mapped to the ‘dataAccessRole’, not the ‘rangerAuditRole’.

Returned: always

rangerCloudAccessAuthorizerRole

string

The cloud provider role to which the Ranger RAZ service will be mapped (e.g. an ARN in AWS, a Resource ID in Azure).

Returned: when supported

syncStatus

dictionary

The status of the most recent ID Broker mappings sync operation, if any. Not present if there is no Datalake associated with the Environment.

Returned: when supported

globalStatus

string

The overall mappings sync status for all Datalake clusters in the Environment.

Returned: always

Sample: "['NEVER_RUN', 'REQUESTED', 'REJECTED', 'RUNNING', 'COMPLETED', 'FAILED', 'TIMEDOUT']"

statuses

dictionary

Map of Datalake cluster CRN-to-mappings sync status for each Datalake cluster in the environment.

Returned: always

__datalake CRN__

dictionary

The Datalake cluster CRN

Returned: always

endDate

string

The date when the mappings sync completed or was terminated. Omitted if status is NEVER_RUN or RUNNING.

Returned: when supported

errorDetail

string

The detail of the error. Omitted if status is not FAILED.

Returned: when supported

startDate

string

The date when the mappings sync started executing. Omitted if status is NEVER_RUN.

Returned: when supported

status

string

The mappings sync summary status.

Returned: always

Sample: "['NEVER_RUN', 'REQUESTED', 'REJECTED', 'RUNNING', 'COMPLETED', 'FAILED', 'TIMEDOUT']"

syncNeeded

boolean

Flag indicating whether a sync is needed to bring in-cluster mappings up-to-date.

Returned: always

sdk_out

string

Returns the captured CDP SDK log.

Returned: when supported

sdk_out_lines

list / elements=string

Returns a list of each line of the captured CDP SDK log.

Returned: when supported

Authors

  • Webster Mudge (@wmudge)

  • Dan Chaffelson (@chaffelson)