Oracle Cloud Infrastructure Documentation

Creating IAM Users

You can apply policies to individual users, but it's best practice to create groups whose privileges are defined in polices and then add users to the groups.

Create Identity and Access Management (IAM) groups with access privileges appropriate to your needs.

For the simple case, use the existing Administrators group, whose members have complete administrative rights over the resources in the tenancy. You can also create a big-data-users group, whose members have read access to the cluster and appropriate rights for working with data. In more complex situations, you need multiple administrator groups whose access is restricted to certain compartments or to certain resources, such as networking or clusters and storage.

Big Data Service Administrators

While the cloud administrator has complete control over all Big Data Service resources in the tenancy, it's good practice to delegate cluster administration tasks to one or more Big Data Service administrators.

Among the tasks that an administrator must complete include:

  • Create compartments in the tenancy, to organize and isolate resources (optional).
  • Set up a Virtual Cloud Network (VCN) in the tenancy, including subnets, gateways, and other networking resources.
  • Create groups, users, and policies in the tenancy, to control who has what kind of access to which resources.

For complete documentation on setting up a new tenancy, see Setting Up Your Tenancy in the Oracle Cloud Infrastructure documentation.

About the Types of Administrators

You can set up administrator groups and administrator users in a number of different ways, depending on your requirements. One useful strategy is to create three kinds of administrators:

Cloud administrator
A cloud administrator has full access privileges to all the resources in the tenancy, including those used by any other services in your tenancy. When Oracle creates a new tenancy, a default administrator is created for the tenancy, and that administrator is a cloud administrator. You can create additional cloud administrators.

A cloud administrator is created through Oracle Cloud Infrastructure Identity and Access Management. See Overview of Oracle Cloud Infrastructure Identity and Access Management.

Big Data Service administrator
A Big Data Service administrator has privileges to manage one or more clusters and the resources associated with them, like groups, users, storage, and so forth. This kind of administrator might not have privileges on other services in the tenancy or might have limited privileges on shared resources, like networks. A Big Data Service administrator is created through Oracle Cloud Infrastructure Identity and Access Management.
Hadoop cluster administrator
An Hadoop cluster administrator has permissions directly on the cluster, to perform management operations programmatically. An Hadoop administrator is created by using OS commands. See Creating an Administrators Group and Adding a User.

About the OS User Accounts

In addition to the access controls provided by Oracle Cloud Infrastructure, Big Data Service supports OS user accounts, which allow direct access to the cluster through SSH.

Every Big Data Service cluster node is provisioned with the following OS user accounts.

  • opc

    This is the system administrator account you use with the sudo command to gain root user access to the nodes. By default, opc doesn't allow connection using a password. However, you might choose to connect using a password by assigning a known password to opc or by creating another user with a known password.

  • root

    This is the root administrator for the system. You don't have direct access to this account. To perform operations that require root user access, execute sudo -s as the opc user. By default, root doesn't require a password.

  • oracle

    This is an OS and cluster user account that's used to run jobs on the cluster during the validation of the cluster. This account is used by the system and has a randomly generated password.

Creating a User to be the Administrator

To create a new Big Data Service administrator for a new service, a cloud administrator must create a user and then add the user to a Big Data Service administrators group.

See Adding Users.

Creating an Administrators Group and Adding a User

Create a Big Data Service administrators group, for example, bds-admins, and grant members permissions to manage the cluster life cycle. Be sure to create the Big Data Service administrator before creating the group.

Note

If you haven't created the user who will be an administrator yet, go back to Creating a Cluster to create the user, and then return to this step.
  1. Create a group, for example bds-admins. See Creating groups
  2. Add users to the group. See Adding users to groups.