1. Set up an Authorization Provider

The ACLAuthz provider determines who is able to access a service through the Knox Gateway by comparing the effective user, group, and originating IP address of the request to the rules defined in the authorization provider.

Configure the AclsAuthz provider as follows:

Open the cluster topology descriptor file, $cluster-name.xml, in a text editor.

Add a AclsAuthz authorization provider to topology/gateway with a parameter for each service as follows:

<provider>
    <role>authorization</role>     
    <name>AclsAuthz</name>
    <enabled>true</enabled>
    <param>
        <name>$service_name.acl.mode</name>
        <value>$mode</value>
    </param>
    <param>
        <name>$service_Name.acl</name>
        <value>$cluster_users;$groups_field;$IP_field</value>
    </param> 
    ...
</provider>

Where:

$service_name matches the name of a service element. For example, webhdfs.

$mode determines the how the request is evaluated against the fields as follows:

AND specifies that the request must match an entry in all three fields of the corresponding $service_name.acl parameter.
OR specifies that the request only needs to match an entry in any field, $users_field OR $groups_field, OR $IP_field.

	Note
	The `$service_name.acl.mode` parameter is optional. When it is not defined, the default mode is `AND`; therefore requests to that service must match all three fields.

$cluster_users is a comma separated list of effective users. Use a wildcard (*) to match all users.
$groups_field is a comma separated list of groups. Use a wildcard (*) to match all groups.
$IP_field is a comma separated list of IPv4 addresses. An IP address in the list can contain wildcard at the end to indicate a subnet (for example: 192.168.*). Use a wildcard (*) to match all addresses.

Save the file.
The gateway creates a new WAR file with modified timestamp in $gateway_home\data\deployments .

Legal notices