Add a new provider configuration

Provider configurations are definitions of authentication and authorization controls for services proxied by Knox, which may be referenced by one or more descriptors.

  1. Define the providers:
    1. From Cloudera Manager > Knox > Configuration, add a new entry in Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml_role_safety_valve.
    2. Name the provider configuration, and specify the desired providers and their corresponding configuration attributes.
      Provider configuration entries are named as providerConfigs:TOPOLOGY_NAME (E.G., providerConfigs:myTopology).
    3. For each provider, the role is declared (E.G., role=authentication, role=authorization), and subsequently configured by defining properties of that role (E.G., authentication.name=ShiroProvider, authentication.param.sessionTimeout=30).
    Example (LDAP authentication and Ranger authorization)
    • Name=providerConfigs:ldap-ranger-provider
    • Value=
      role=authentication#
      authentication.name=ShiroProvider#
      authentication.param.sessionTimeout=30#
      authentication.param.main.ldapRealm=org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm#
      authentication.param.main.ldapContextFactory=org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory#
      authentication.param.main.ldapRealm.contextFactory=$ldapContextFactory#
      authentication.param.main.ldapRealm.contextFactory.authenticationMechanism=simple#
      authentication.param.main.ldapRealm.contextFactory.url=ldap://ldap-host:33389#
      authentication.param.main.ldapRealm.contextFactory.systemUsername=uid=guest,ou=people,dc=hadoop,dc=apache,dc=org#
      authentication.param.main.ldapRealm.userDnTemplate=uid={0},ou=people,dc=hadoop,dc=apache,dc=org#
      authentication.param.urls./**=authcBasic#
      role=authorization#
      authorization.name=XASecurePDPKnox
  2. Save your changes.
  3. Refresh your cluster: the Refresh needed stale configuration indicator appears; click it and wait until the refresh process completes.
  4. Validate:
    Using the Knox Admin UI (https://KNOX_GATEWAY_HOST:PORT/GATEWAY_PATH/gateway/manager/admin-ui/), navigate to the Provider Configurations, and verify that your provider configuration was generated with the providers and parameters you specified.