Cloudera Docs

Configuring the Knox IDBroker

Learn how to configure the Knox IDBroker in Cloudera Manager.

The IDBroker must be made aware of available session policies. Configure these policies using the Cloudera Manager so that they survive restarts, upgrades, and other such events.

  1. Go to Cloudera Manager > Knox > Instances > Configuration > Knox IDBroker Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml
  2. After clicking View as XML, add a property named sessionPolicyTemplate:read-only with the following values: 
    <property><name>sessionPolicyTemplate:read-only</name><value>{"Version":"2012-10-17","Statement":[{"Sid":"AllowListingOfDataLakeFolderOnly","Effect":"Allow","Action":["s3:List*"],"Resource":"arn:aws:s3:::${bucket}","Condition":{"StringEquals":{"s3:prefix":["${prefix}","${prefix}/"]}}},
{"Sid":"AllowAccessToDataLakeFolder","Effect":"Allow","Action":["s3:Get"],"Resource":"arn:aws:s3:::${bucket}/${prefix}/*"}]}</value></property>
  3. Save your changes and restart the Knox service.
Continue with creating a Data Share.