The ACLAuthz provider determines who is able to access a service through the Knox Gateway by comparing the
authenticated user, group, and originating IP address of the request to the rules defined in the authorization provider.
Configure the AclsAuthz provider as follows:
Open the cluster topology descriptor file,
$cluster-name .xml, in a text editor.Add a
AclsAuthzauthorization provider totopology/gatewaywith a parameter for each service as follows:<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name> $service_name .acl.mode</name> <value> $mode </value> </param> <param> <name> $service_Name .acl</name> <value> $cluster_users ; $groups_field ; $IP_field </value> </param> ... </provider>where:
$service_namematches the name of a service element. For example,webhdfs.$modedetermines how the identity context (the effective user, their associated groups, and the original IP address) is evaluated against the fields as follows:ANDspecifies that the request must match an entry in all three fields of the corresponding$service_name .aclparameter.ORspecifies that the request only needs to match an entry in any field,$users_fieldOR$groups_field, OR$IP_field.
![[Note]](../common/images/admon/note.png)
Note The
$service_name .acl.modeparameter is optional. When it is not defined, the default mode isAND; therefore requests to that service must match all three fields.$cluster_usersis a comma-separated list of authenticated users. Use a wildcard (*) to match all users.$groups_fieldis a comma-separated list of groups. Use a wildcard (*) to match all groups.$IP_fieldis a comma-separated list of IPv4 or IPv6 addresses. An IP address in the list can contain wildcard at the end to indicate a subnet (for example: 192.168.*). Use a wildcard (*) to match all addresses.
Save the file.
The gateway creates a new WAR file with modified timestamp in
$gateway/data/deployments.
