Cloudera Docs

Configuring the Knox IDBroker

Learn how to configure the Knox IDBroker in Cloudera Manager.

The IDBroker must be made aware of available session policies. Configure these policies using the Cloudera Manager such so that they survive restarts, upgrades, and other such events.

  1. Go to Cloudera Manager > Knox > Instances > Configuration > Knox IDBroker Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml
  2. Add a property named sessionPolicyTemplate:read-only with the following values: 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListingOfDataLakeFolder",
      "Effect": "Allow",
      "Action": [
        "s3:GetAccelerateConfiguration",
        "s3:GetAnalyticsConfiguration",
        "s3:GetBucketAcl",
        "s3:GetBucketCORS",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketPolicy",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketRequestPayment",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetBucketWebsite",
        "s3:GetEncryptionConfiguration",
        "s3:GetInventoryConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetMetricsConfiguration",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectTagging",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionTagging",
        "s3:GetReplicationConfiguration",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": "arn:aws:s3:::${bucket}",
          "Condition": {
                  "StringEquals": {
                          "s3:prefix": [
                                  "${prefix}",
                                  "${prefix}/*"
                          ]
                  }
          }

    }
  ]
}
  3. Save your changes and restart the Hive Metastore service.