Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Edit service authorization in Knox

Labels:
avatar
author-rank sambass
Explorer

Created ‎12-18-2015 03:22 PM

I would like to alter who has access to different Knox Services. For example, I can currently access all the services using guest:guest-password or admin:admin-password but would like to change that so only admin can access certain services. I believe it will mean changing something in the default.xml file in the Knox topologies. I have tried adding this parameter to the default.xml, but I can still access HBase as a guest.

<param> 
	<name>webhbase.acl</name> 
	<value>admin</value>            
</param>

It's not just HBase I would like to change but custom services too so a more general answer would be very much appreciated.

2,608 Views
1 ACCEPTED SOLUTION

avatar
author-rank kevin_minder
Guru

Created ‎12-18-2015 03:40 PM

You may find Sample 5 in my recent blog here helpful.

http://kminder.github.io/knox/2015/11/18/knox-with...

The only quick tip I can give you here without more information is that your authorization provider configuration should probably look like this. 

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
    </provider>

For your custom services all you need to do is match the value before the ".acl" with the role of your custom service. This example may help clarify. 

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
      <param name="CUSTOM.acl" value="guest;*;*"/>
    </provider>

Of course you can also use the Ranger authorization plugin and instead of this "AclsAuthz" plugin and define the policy in the Ranger policy UI.

View solution in original post

1,942 Views
4 REPLIES 4

avatar
author-rank nsabharwal
Master Mentor

Created ‎12-18-2015 03:38 PM

@Sam Bass

I believe you need Ranger + Knox http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

Knox policies http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-...

1,942 Views

avatar
author-rank kevin_minder
Guru

Created ‎12-18-2015 03:40 PM

You may find Sample 5 in my recent blog here helpful.

http://kminder.github.io/knox/2015/11/18/knox-with...

The only quick tip I can give you here without more information is that your authorization provider configuration should probably look like this. 

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
    </provider>

For your custom services all you need to do is match the value before the ".acl" with the role of your custom service. This example may help clarify. 

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
      <param name="CUSTOM.acl" value="guest;*;*"/>
    </provider>

Of course you can also use the Ranger authorization plugin and instead of this "AclsAuthz" plugin and define the policy in the Ranger policy UI.

1,943 Views

avatar
author-rank amiller
Guru

Created ‎12-18-2015 07:25 PM

Additional examples are available in the Apache Knox Users Guide under Authorization

1,942 Views
0 Kudos

avatar
author-rank sambass
Explorer

Created ‎12-21-2015 11:33 AM

@Kevin Minder

Thanks, that worked just as I needed it to.

1,942 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements