Cloudera Docs

Add a new shared provider configuration

Provider configurations are definitions of authentication and authorization controls for services proxied by Knox, which may be referenced by one or more descriptors.

  1. Define the providers:
    1. From Cloudera Manager > Knox > Configuration, add a new entry in Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml_role_safety_valve.
    2. Name the provider configuration, and specify the desired providers and their corresponding configuration attributes.
      Provider configuration entries are named as providerConfigs:TOPOLOGY_NAME (E.G., providerConfigs:myTopology).
    3. For each provider, the role is declared (E.G., role=authentication, role=authorization), and subsequently configured by defining properties of that role (E.G., authentication.name=ShiroProvider, authentication.param.sessionTimeout=30).
    Example (LDAP authentication and Ranger authorization)
    • Name=providerConfigs:ldap-ranger-provider
    • Value=
      role=authentication#
authentication.name=ShiroProvider#
authentication.param.sessionTimeout=30#
authentication.param.main.ldapRealm=org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm#
authentication.param.main.ldapContextFactory=org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory#
authentication.param.main.ldapRealm.contextFactory=$ldapContextFactory#
authentication.param.main.ldapRealm.contextFactory.authenticationMechanism=simple#
authentication.param.main.ldapRealm.contextFactory.url=ldap://ldap-host:33389#
authentication.param.main.ldapRealm.contextFactory.systemUsername=uid=guest,ou=people,dc=hadoop,dc=apache,dc=org#
authentication.param.main.ldapRealm.userDnTemplate=uid={0},ou=people,dc=hadoop,dc=apache,dc=org#
authentication.param.urls./**=authcBasic#
role=authorization#
authorization.name=XASecurePDPKnox
  2. Save your changes.
  3. Refresh your cluster: the Refresh needed stale configuration indicator appears; click it and wait until the refresh process completes.
  4. Validate:
    Using the Knox Admin UI (https://KNOX_GATEWAY_HOST:PORT/GATEWAY_PATH/gateway/manager/admin-ui/), navigate to the Provider Configurations, and verify that your provider configuration was generated with the providers and parameters you specified.