Support Questions

Find answers, ask questions, and share your expertise

Edit service authorization in Knox

avatar
Explorer

I would like to alter who has access to different Knox Services. For example, I can currently access all the services using guest:guest-password or admin:admin-password but would like to change that so only admin can access certain services. I believe it will mean changing something in the default.xml file in the Knox topologies. I have tried adding this parameter to the default.xml, but I can still access HBase as a guest.

<param> 
	<name>webhbase.acl</name> 
	<value>admin</value>            
</param>

It's not just HBase I would like to change but custom services too so a more general answer would be very much appreciated.

1 ACCEPTED SOLUTION

avatar

You may find Sample 5 in my recent blog here helpful.

http://kminder.github.io/knox/2015/11/18/knox-with...

The only quick tip I can give you here without more information is that your authorization provider configuration should probably look like this.

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
    </provider>

For your custom services all you need to do is match the value before the ".acl" with the role of your custom service. This example may help clarify.

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
      <param name="CUSTOM.acl" value="guest;*;*"/>
    </provider> 

Of course you can also use the Ranger authorization plugin and instead of this "AclsAuthz" plugin and define the policy in the Ranger policy UI.

View solution in original post

4 REPLIES 4

avatar
Master Mentor

avatar

You may find Sample 5 in my recent blog here helpful.

http://kminder.github.io/knox/2015/11/18/knox-with...

The only quick tip I can give you here without more information is that your authorization provider configuration should probably look like this.

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
    </provider>

For your custom services all you need to do is match the value before the ".acl" with the role of your custom service. This example may help clarify.

    <provider>
      <role>authorization</role>
      <name>AclsAuthz</name>
      <enabled>true</enabled>
      <param name="WEBHBASE.acl" value="admin;*;*"/>
      <param name="CUSTOM.acl" value="guest;*;*"/>
    </provider> 

Of course you can also use the Ranger authorization plugin and instead of this "AclsAuthz" plugin and define the policy in the Ranger policy UI.

avatar

Additional examples are available in the Apache Knox Users Guide under Authorization

avatar
Explorer
@Kevin Minder

Thanks, that worked just as I needed it to.