Support Questions
Find answers, ask questions, and share your expertise

Setting "main.ldapRealm.authorizationEnabled" property to false

Setting "main.ldapRealm.authorizationEnabled" property to false

Hi team,

Can you let me know impact of setting "main.ldapRealm.authorizationEnabled" property to false for knox in knox configs?

Is there any impact for other services also [like ranger] ?


Re: Setting "main.ldapRealm.authorizationEnabled" property to false


By setting main.ldapRealm.authorizationEnabled to false (default), you are indicating that there is no need for the ShiroProvider to lookup groups for the user through the KnoxLdapRealm implementation. The impact is that if you are doing service level authorization checks at the gateway itself then the groups will not be available for evaluation by the Knox AclsAuthz provider or the Ranger plugin.

If you are not doing service level authorization checks and relying solely on finer grained ACL/policy enforcement then you can safely leave that as false.