(Optional) Configure Ranger to restrict access to DataPlane
It is strongly recommended that in your cluster, you configure Ranger to restrict access to these DataPlane specific topologies to be only from your DP instance, in order to restrict access to only authorized users of DataPlane Platform.
As part of configuring Knox SSO to work with DataPlane, you setup Knox topologies to allow your DP instance to communicate and handle SSO request token between DP and your cluster.
This is the basic Ranger policy setup to restrict access to the Knox topology to only DataPlane. Additional policies may be recommended or required based on the DP Apps (and their requisite Cluster Agents) you use.
- You will be configuring a Ranger policy to restrict access to Knox SSO token topologies to DataPlane users and your DP Instance.
- You must have installed and configured DataPlane.
- You must have configured Knox SSO for DataPlane. See Configuring Knox SSO for DataPlane for more information.
- You must have Ranger installed and configured in your cluster.
Be sure to also add the authorization role to the token topologies you configured for DP in your Knox SSO setup.
<provider> <role>authorization</role> <name>XASecurePDPKnox</name> <enabled>true</enabled> </provider>
- In your cluster, navigate to the Ranger UI and log in.
Click Access Manager, and then click the Knox repository
link, for example:
- Click Add New Policy, and then enter the following values:
Parameter Value Policy Type Access Knox Topology token Knox Service *
- Enter groups or user names in Select Group or Select User.
Optional: Under Policy Conditions click Add Condition and
enter the IP addresses of the DataPlane host.
This adds an IP-based filter to ensure that only known DataPlane Core hosts can access cluster services through the token topology.
- Under Permissions, click Add Permission and select Allow.