Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Set Up an Authorization Provider

The ACLAuthz provider determines who is able to access a service through the Knox Gateway by comparing the authenticated user, group, and originating IP address of the request to the rules defined in the authorization provider.

The Knox Gateway has an out-of-the-box authorization provider that allows administrators to restrict access to the individual services within a cluster. This provider utilizes a simple and familiar pattern of using ACLs to protect resources by specifying users, groups and ip addresses that are permitted access.

Group membership is determined by the identity-assertion parameter group.principal.mapping.

  1. Open the cluster topology descriptor file, $cluster-name .xml, in a text editor.
  2. Add a AclsAuthz authorization provider to topology/gateway with a parameter for each service as follows:
    <provider>
        <role>authorization</role>
        <name>AclsAuthz</name>
        <enabled>true</enabled>
        <param>
            <name>$service_name.acl.mode</name>
            <value>$mode</value>
        </param>
        <param>
            <name>$service_Name.acl</name>
            <value>$cluster_users;$groups_field;IP_field</value>
        </param>
        ...
    </provider>
    where:
    • $service_name matches the name of a service element. For example,webhdfs.
    • $mode determines how the identity context (the effective user, their associated groups, and the original IP address) is evaluated against the fields as follows:
      • AND specifies that the request must match an entry in all three fields of the corresponding $service_name .acl parameter.
      • OR specifies that the request only needs to match an entry in any field, $users_field OR $groups_field, OR $IP_field.
    • $cluster_users is a comma-separated list of authenticated users. Use a wildcard (*) to match all users.

    • $groups_field is a comma-separated list of groups. Use a wildcard (*) to match all groups.

    • $IP_field is a comma-separated list of IPv4 or IPv6 addresses. An IP address in the list can contain wildcard at the end to indicate a subnet (for example: 192.168.*). Use a wildcard (*) to match all addresses.

    Note
    Note

    The $service_name .acl.mode parameter is optional. When it is not defined, the default mode is AND ; therefore requests to that service must match all three fields.

  3. Save the file.
    The gateway creates a new WAR file with modified timestamp in $gateway/data/deployments.