The ACLAuthz
provider determines who is able to access a service
through the Knox Gateway by comparing the effective user, group, and originating IP
address of the request to the rules defined in the authorization provider.
Configure the AclsAuthz provider as follows:
Open the cluster topology descriptor file,
, in a text editor.$cluster-name
.xmlAdd a
AclsAuthz
authorization provider totopology/gateway
with a parameter for each service as follows:<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>$service_name.acl.mode</name> <value>$mode</value> </param> <param> <name>$service_Name.acl</name> <value>$cluster_users;$groups_field;$IP_field</value> </param> ... </provider>
Where:
$service_name
matches the name of a service element. For example,webhdfs
.$mode
determines the how the request is evaluated against the fields as follows:AND
specifies that the request must match an entry in all three fields of the corresponding
parameter.$service_name
.aclOR
specifies that the request only needs to match an entry in any field,$users_field
OR$groups_field
, OR$IP_field
.
Note The
parameter is optional. When it is not defined, the default mode is$service_name
.acl.modeAND
; therefore requests to that service must match all three fields.$cluster_users
is a comma separated list of effective users. Use a wildcard (*) to match all users.$groups_field
is a comma separated list of groups. Use a wildcard (*) to match all groups.$IP_field
is a comma separated list of IPv4 addresses. An IP address in the list can contain wildcard at the end to indicate a subnet (for example: 192.168.*). Use a wildcard (*) to match all addresses.
Save the file.
The gateway creates a new WAR file with modified timestamp in
/var/lib/knox/data/deployments
.