[
https://issues.apache.org/jira/browse/KNOX-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-2066:
------------------------------
Description:
By providing a composite authz provider, we will be able to configure multiple
authz providers in a single topology. This will allow the use of both the
AclsAuthz provider and the Ranger Knox plugin where available.
All authorization providers used within the CompositeAuthz provider will need
to grant access for the request processing to continue to the protected
resource. This is a logical AND across all the providers.
Since this simple implementation has no flow control of it's own OR would not
be possible without considerably more work.
We can address that based on demand.
The following is an example of what configuration of the CompositeAuthz
provider is like.
{code:java}
<provider>
<role>authorization</role>
<name>CompositeAuthz</name>
<enabled>true</enabled>
<param>
<name>composite.provider.names</name>
<value>AclsAuthz,SomeOther</value>
</param>
<param>
<name>AclsAuthz.webhdfs.acl</name>
<value>admin;*;*</value>
</param>
<param>
<name>SomeOther.webhdfs.acl</name>
<value>admin;*;*</value>
</param>
</provider>{code}
Note the comma separated list of provider names in composite.provider.names
param.
Also Note the use of those names as prefixes to the params to be set on the
respective providers.
The prefixes are removed and the expected param names are set on the actual
providers as appropriate.
was:
By providing a composite authz provider, we will be able to configure multiple
authz providers in a single topology. This will allow the use of both the
AclsAuthz provider and the Ranger Knox plugin where available.
All authorization providers used within the CompositeAuthz provider will need
to grant access for the request processing to continue to the protected
resource. This is a logical AND across all the providers.
Since this simple implementation has not flow control of it's own OR would not
be possible without considerably more work.
We can address that based on demand.
The following is an example of what configuration of the CompositeAuthz
provider is like.
{code:java}
<provider>
<role>authorization</role>
<name>CompositeAuthz</name>
<enabled>true</enabled>
<param>
<name>composite.provider.names</name>
<value>AclsAuthz,SomeOther</value>
</param>
<param>
<name>AclsAuthz.webhdfs.acl</name>
<value>admin;*;*</value>
</param>
<param>
<name>SomeOther.webhdfs.acl</name>
<value>admin;*;*</value>
</param>
</provider>{code}
Note the comma separated list of provider names in composite.provider.names
param.
Also Note the use of those names as prefixes to the params to be set on the
respective providers.
The prefixes are removed and the expected param names are set on the actual
providers as appropriate.
> Composite Authz Provider
> ------------------------
>
> Key: KNOX-2066
> URL: https://issues.apache.org/jira/browse/KNOX-2066
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 1.4.0
>
>
> By providing a composite authz provider, we will be able to configure
> multiple authz providers in a single topology. This will allow the use of
> both the AclsAuthz provider and the Ranger Knox plugin where available.
> All authorization providers used within the CompositeAuthz provider will need
> to grant access for the request processing to continue to the protected
> resource. This is a logical AND across all the providers.
> Since this simple implementation has no flow control of it's own OR would not
> be possible without considerably more work.
> We can address that based on demand.
> The following is an example of what configuration of the CompositeAuthz
> provider is like.
> {code:java}
> <provider>
> <role>authorization</role>
> <name>CompositeAuthz</name>
> <enabled>true</enabled>
> <param>
> <name>composite.provider.names</name>
> <value>AclsAuthz,SomeOther</value>
> </param>
> <param>
> <name>AclsAuthz.webhdfs.acl</name>
> <value>admin;*;*</value>
> </param>
> <param>
> <name>SomeOther.webhdfs.acl</name>
> <value>admin;*;*</value>
> </param>
> </provider>{code}
> Note the comma separated list of provider names in composite.provider.names
> param.
> Also Note the use of those names as prefixes to the params to be set on the
> respective providers.
> The prefixes are removed and the expected param names are set on the actual
> providers as appropriate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
