Set Up an Authorization Provider
The ACLAuthz provider determines who is able to access a service through the Knox Gateway by comparing the authenticated user, group, and originating IP address of the request to the rules defined in the authorization provider.
Open the cluster topology descriptor file,
$cluster-name .xml, in a text editor.
AclsAuthzauthorization provider to
topology/gatewaywith a parameter for each service as follows:
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>$service_name.acl.mode</name> <value>$mode</value> </param> <param> <name>$service_Name.acl</name> <value>$cluster_users;$groups_field;IP_field</value> </param> ... </provider>where:
$service_namematches the name of a service element. For example,
$modedetermines how the identity context (the effective user, their associated groups, and the original IP address) is evaluated against the fields as follows:
$cluster_usersis a comma-separated list of authenticated users. Use a wildcard (*) to match all users.
$groups_fieldis a comma-separated list of groups. Use a wildcard (*) to match all groups.
$IP_fieldis a comma-separated list of IPv4 or IPv6 addresses. An IP address in the list can contain wildcard at the end to indicate a subnet (for example: 192.168.*). Use a wildcard (*) to match all addresses.
$service_name .acl.modeparameter is optional. When it is not defined, the default mode is
AND; therefore requests to that service must match all three fields.
- Save the file.
The gateway creates a new WAR file with modified timestamp in