The ACLAuthz
provider determines who is able to access a service through the Knox Gateway by comparing the
authenticated user, group, and originating IP address of the request to the rules defined in the authorization provider.
Configure the AclsAuthz provider as follows:
Open the cluster topology descriptor file,
$cluster-name .xml
, in a text editor.Add a
AclsAuthz
authorization provider totopology/gateway
with a parameter for each service as follows:<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name> $service_name .acl.mode</name> <value> $mode </value> </param> <param> <name> $service_Name .acl</name> <value> $cluster_users ; $groups_field ; $IP_field </value> </param> ... </provider>
where:
$service_name
matches the name of a service element. For example,webhdfs
.$mode
determines how the identity context (the effective user, their associated groups, and the original IP address) is evaluated against the fields as follows:AND
specifies that the request must match an entry in all three fields of the corresponding$service_name .acl
parameter.OR
specifies that the request only needs to match an entry in any field,$users_field
OR$groups_field
, OR$IP_field
.
Note The
$service_name .acl.mode
parameter is optional. When it is not defined, the default mode isAND
; therefore requests to that service must match all three fields.$cluster_users
is a comma-separated list of authenticated users. Use a wildcard (*) to match all users.$groups_field
is a comma-separated list of groups. Use a wildcard (*) to match all groups.$IP_field
is a comma-separated list of IPv4 or IPv6 addresses. An IP address in the list can contain wildcard at the end to indicate a subnet (for example: 192.168.*). Use a wildcard (*) to match all addresses.
Save the file.
The gateway creates a new WAR file with modified timestamp in
$gateway/data/deployments
.