Add a new shared provider configuration

An example of how to add new authorization provider in the manager shared provider configuration.

It is possible that you add a brand new shared provider configuration. In this example you will see how to create testProviders with the following providers set:
  • authentication: ShiroProvider (LDAP) or PAM
  • identity-assertion: Default
  • authorization: Ranger (XASecurePDPKnox)
This particular authorization provider is set as follows (in its JSON descriptor):
{
         "role": "authorization",
         "name": "AclsAuthz",
         "enabled": "true",
         "params": {
            "knox.acl.mode": "OR",
            "knox.acl": "KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*"
         }
      }
  1. From Cloudera Manager > Knox > Configuration, add the following entry in the Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-descriptors.xml:
    • name = providerConfigs:testProviders
    • value = role=authentication#authentication.name=ShiroProvider#authentication.param.main.pamRealm=org.apache.knox.gateway.shirorealm.KnoxPamRealm#authentication.param.main.pamRealm.service=login#role=identity-assertion#identity-assertion.name=Default#role=authorization#authorization.name=XASecurePDPKnox
  2. Save your changes.
  3. Refresh the cluster.
  4. Validate:
    $ curl -ku knoxui:knoxui 'https://johndoe-1.abc.cloudera.com:8443/gateway/admin/api/v1/providerconfig/testProviders'
    {
      "providers" : [ {
        "role" : "authentication",
        "name" : "ShiroProvider",
        "enabled" : true,
        "params" : {
          "main.pamRealm" : "org.apache.knox.gateway.shirorealm.KnoxPamRealm",
          "main.pamRealm.service" : "login"
        }
      }, {
        "role" : "identity-assertion",
        "name" : "Default",
        "enabled" : true,
        "params" : { }
      }, {
        "role" : "authorization",
        "name" : "XASecurePDPKnox",
        "enabled" : true,
        "params" : { }
      } ]
    }