Cloudera Docs

Add a new shared provider configuration

Provider configurations are definitions of authentication and authorization controls for services proxied by Knox, which may be referenced by one or more descriptors.

  1. Define the providers:
    1. From Cloudera Manager > Knox > Configuration, add a new entry in Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml_role_safety_valve.
    2. Name the provider configuration, and specify the desired providers and their corresponding configuration attributes.
      Provider configuration entries are named as providerConfigs:TOPOLOGY_NAME (E.G., providerConfigs:myTopology).
    3. For each provider, the role is declared (E.G., role=authentication, role=authorization), and subsequently configured by defining properties of that role (E.G., authentication.name=ShiroProvider, authentication.param.sessionTimeout=30).
    Example (LDAP authentication and Ranger authorization)
    • Name=providerConfigs:ldap-ranger-provider
    • Value=
      role=authentication#
authentication.name=ShiroProvider#
authentication.param.sessionTimeout=30#
authentication.param.main.ldapRealm=org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm#
authentication.param.main.ldapContextFactory=org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory#
authentication.param.main.ldapRealm.contextFactory=$ldapContextFactory#
authentication.param.main.ldapRealm.contextFactory.authenticationMechanism=simple#
authentication.param.main.ldapRealm.contextFactory.url=ldap://ldap-host:33389#
authentication.param.main.ldapRealm.contextFactory.systemUsername=uid=guest,ou=people,dc=hadoop,dc=apache,dc=org#
authentication.param.main.ldapRealm.userDnTemplate=uid={0},ou=people,dc=hadoop,dc=apache,dc=org#
authentication.param.urls./**=authcBasic#
role=authorization#
authorization.name=XASecurePDPKnox
  2. Save your changes.
  3. Refresh your cluster: the Refresh needed stale configuration indicator appears; click it and wait until the refresh process completes.
  4. Validate using the Knox homepage.
    Verify that your topology is generated with the services and URLs you specified.