Configuring the Knox gateway-site.xml

Learn how to configure Knox parameters to allow admin permissions in Knox. Admin permission is required to create the CLIENT_ID and CLIENT_SECRET.

The CLIENT_ID and CLIENT_SECRET is required for creating Data Shares to authorize your external clients.

The Cloudera on cloud user must be configured as both Knox and Ranger Admin to perform the tasks required to configure Knox parameters.
note
For more information on setting the Ranger admin, see:
- Cloudera account administrator
- Administering Ranger Users, Groups, Roles, and Permissions
Knox topologies are automatically deployed. Editing the token lifetime (KNOXTOKEN:knox.token.ttl) and the token allowance per user (KNOXTOKEN:knox.token.limit.per.user) is applicable to all topologies, but can be overridden by individual topology settings.
important
If you use multiple services using the same Knox token gateway, Cloudera strongly recommends using topology level settings by each service.

Go to Cloudera Manager > Clusters > Knox > Configuration > Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml
1. Add the gateway.knox.admin.users parameter.
  
  note
  
  Users who create the Client tokens and secrets for data sharing, must be a part of the Knox admin users and groups configuration. For example, gateway.knox.admin.users = ***SHAREADMIN1***, ***SHAREADMIN2***.
2. Add the gateway.knox.admin.groups parameter.
Click Save Changes.
Set the Knox token limit parameter:
1. Cloudera Manager > Clusters > Knox > Configuration.
2. Search for gateway.knox.token.limit.per.user, then set the value of the parameter.
  
  note
  The value -1 means "unlimited". For example, using gateway.knox.token.limit.per.user=2 allows two external Data Share users concurrently without an expiration time limit. This setting applies to all user across all Knox topologies.
Click Save Changes and refresh the configuration as needed.

Continue with configuring the Knox IDBroker.