Description
By providing a composite authz provider, we will be able to configure multiple authz providers in a single topology. This will allow the use of both the AclsAuthz provider and the Ranger Knox plugin where available.
All authorization providers used within the CompositeAuthz provider will need to grant access for the request processing to continue to the protected resource. This is a logical AND across all the providers.
Since this simple implementation has no flow control of it's own OR would not be possible without considerably more work.
We can address that based on demand.
The following is an example of what configuration of the CompositeAuthz provider is like.
<provider>
<role>authorization</role>
<name>CompositeAuthz</name>
<enabled>true</enabled>
<param>
<name>composite.provider.names</name>
<value>AclsAuthz,SomeOther</value>
</param>
<param>
<name>AclsAuthz.webhdfs.acl</name>
<value>admin;*;*</value>
</param>
<param>
<name>SomeOther.webhdfs.acl</name>
<value>admin;*;*</value>
</param>
</provider>
Note the comma separated list of provider names in composite.provider.names param.
Also Note the use of those names as prefixes to the params to be set on the respective providers.
The prefixes are removed and the expected param names are set on the actual providers as appropriate.