Installing DataPlane
Also available as:
PDF

Configure Ranger to restrict access to DataPlane

It is strongly recommended that in your cluster, you configure Ranger to restrict access to these token topologies to be only from your DP instance, in order to restrict access to only authorized users of DataPlane Platform.

As part of configuring Knox SSO to work with DataPlane, you setup Knox topologies to allow your DP instance to communicate and handle SSO request token between DP and your cluster.

Note
Note
This is the basic Ranger policy setup to restrict access to the Knox topology to only DataPlane. Additional policies may be recommended or required based on the DP Apps (and their requisite Cluster Agents) you use.
  • You will be configuring a Ranger policy to restrict access to Knox SSO token topologies to DataPlane users and your DP Instance.
  • You must have installed and configured DataPlane.
  • You must have configured Knox SSO for DataPlane. See Configuring Knox SSO for DataPlane for more information.
  • You must have Ranger installed and configured in your cluster.
  • Be sure to also add the authorization role to the token topologies you configured for DP in your Knox SSO setup.
    <provider>
       <role>authorization</role>
       <name>XASecurePDPKnox</name>
       <enabled>true</enabled>
    </provider>
                   
  1. In your cluster, navigate to the Ranger UI and log in.
  2. Click Access Manager, and then click the Knox repository link, for example:
    <cluster-name> Policies.
  3. Click Add New Policy, and then enter the following values:
    ParameterValue
    Policy Type Access
    Knox Topology token
    Knox Service *
  4. Enter groups or user names in Select Group or Select User.
  5. Optional: Under Policy Conditions click Add Condition and enter the IP addresses of the DataPlane host.
    This adds an IP-based filter to ensure that only known DataPlane Core hosts can access cluster services through the token topology.
  6. Under Permissions, click Add Permission and select Allow.