Cloudera Docs

Configuring the Knox IDBroker

Learn how to configure the Knox IDBroker in Cloudera Manager.

The IDBroker must be made aware of available session policies. Configure these policies using the Cloudera Manager so that they survive restarts, upgrades, and other such events.

This policy template provides secure, read-only access to specific S3 paths for data sharing scenarios:

  • Listing permissions (s3:List*): Allows listing bucket contents with prefix restrictions
  • Read permissions (s3:Get*): Allows reading objects within the specified prefix path
  • Dynamic scoping: The ${bucket} and ${prefix} variables are automatically substituted with the S3 bucket name and its path when REST Catalog requests credentials.
  • Size optimized: The minified format ensures the policy stays under the 2048-character AWS STS plaintext limit, as well as, honors the packed policy size limit.

After REST Catalog constructs the session policy template with the data access information, the AWS Security Token Service provides the minimal required temporary credentials to read the data stored in AWS.

  1. Go to Cloudera Manager > Knox > Instances > Configuration > Knox IDBroker Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml
  2. After clicking View as XML, add a property named sessionPolicyTemplate:read-only with the following values: 
    <property>
<name>sessionPolicyTemplate:read-only</name>
    <value>
        {"Version":"2012-10-17",
        "Statement":[{"Sid":"AllowListingOfDataLakeFolderOnly",
        "Effect":"Allow",
        "Action":["s3:List*"],
        "Resource":"arn:aws:s3:::${bucket}",
        "Condition":{"StringEquals":{"s3:prefix":["${prefix}",
        "${prefix}/"]}}},
        {"Sid":"AllowAccessToDataLakeFolder",
        "Effect":"Allow",
        "Action":["s3:Get*"],
        "Resource":"arn:aws:s3:::${bucket}/${prefix}/*"}]}
    </value>
</property>
  3. Save your changes and restart the Knox service.
Continue with creating a Data Share.