https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100012#M13038 <P>You may find Sample 5 in my recent blog here helpful.</P><P><A href="http://kminder.github.io/knox/2015/11/18/knox-with-activedirectory.html">http://kminder.github.io/knox/2015/11/18/knox-with...</A></P><P>The only quick tip I can give you here without more information is that your authorization provider configuration should probably look like this. </P><PRE> &lt;provider&gt; &lt;role&gt;authorization&lt;/role&gt; &lt;name&gt;AclsAuthz&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param name="WEBHBASE.acl" value="admin;*;*"/&gt; &lt;/provider&gt;</PRE><P>For your custom services all you need to do is match the value before the ".acl" with the role of your custom service. This example may help clarify. </P><PRE> &lt;provider&gt; &lt;role&gt;authorization&lt;/role&gt; &lt;name&gt;AclsAuthz&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param name="WEBHBASE.acl" value="admin;*;*"/&gt; &lt;param name="CUSTOM.acl" value="guest;*;*"/&gt; &lt;/provider&gt; </PRE><P>Of course you can also use the Ranger authorization plugin and instead of this "AclsAuthz" plugin and define the policy in the Ranger policy UI.</P> Fri, 18 Dec 2015 23:40:04 GMT kevin_minder 2015-12-18T23:40:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100010#M13036 <P>I would like to alter who has access to different Knox Services. For example, I can currently access all the services using guest:guest-password or admin:admin-password but would like to change that so only admin can access certain services. I believe it will mean changing something in the default.xml file in the Knox topologies. I have tried adding this parameter to the default.xml, but I can still access HBase as a guest.</P><PRE>&lt;param&gt; &lt;name&gt;webhbase.acl&lt;/name&gt; &lt;value&gt;admin&lt;/value&gt; &lt;/param&gt; </PRE><P>It's not just HBase I would like to change but custom services too so a more general answer would be very much appreciated.</P> Fri, 18 Dec 2015 23:22:14 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100010#M13036 sambass 2015-12-18T23:22:14Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100011#M13037 <P><A rel="user" href="https://community.cloudera.com/users/1394/sambass.html" nodeid="1394">@Sam Bass</A> </P><P>I believe you need Ranger + Knox <A href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_User_Guide/content/knox_repository.html">http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...</A></P><P>Knox policies <A href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_User_Guide/content/knox_policy.html">http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...</A></P> Fri, 18 Dec 2015 23:38:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100011#M13037 nsabharwal 2015-12-18T23:38:41Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100012#M13038 <P>You may find Sample 5 in my recent blog here helpful.</P><P><A href="http://kminder.github.io/knox/2015/11/18/knox-with-activedirectory.html">http://kminder.github.io/knox/2015/11/18/knox-with...</A></P><P>The only quick tip I can give you here without more information is that your authorization provider configuration should probably look like this. </P><PRE> &lt;provider&gt; &lt;role&gt;authorization&lt;/role&gt; &lt;name&gt;AclsAuthz&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param name="WEBHBASE.acl" value="admin;*;*"/&gt; &lt;/provider&gt;</PRE><P>For your custom services all you need to do is match the value before the ".acl" with the role of your custom service. This example may help clarify. </P><PRE> &lt;provider&gt; &lt;role&gt;authorization&lt;/role&gt; &lt;name&gt;AclsAuthz&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param name="WEBHBASE.acl" value="admin;*;*"/&gt; &lt;param name="CUSTOM.acl" value="guest;*;*"/&gt; &lt;/provider&gt; </PRE><P>Of course you can also use the Ranger authorization plugin and instead of this "AclsAuthz" plugin and define the policy in the Ranger policy UI.</P> Fri, 18 Dec 2015 23:40:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100012#M13038 kevin_minder 2015-12-18T23:40:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100013#M13039 <P>Additional examples are available in the Apache Knox Users Guide under <A href="http://knox.apache.org/books/knox-0-6-0/user-guide.html#Authorization">Authorization</A></P> Sat, 19 Dec 2015 03:25:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100013#M13039 amiller 2015-12-19T03:25:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100014#M13040 <A rel="user" href="https://community.cloudera.com/users/190/kevinminder.html" nodeid="190">@Kevin Minder</A><P> Thanks, that worked just as I needed it to.</P> Mon, 21 Dec 2015 19:33:30 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Edit-service-authorization-in-Knox/m-p/100014#M13040 sambass 2015-12-21T19:33:30Z