You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Henning Kropp (JIRA)" <ji...@apache.org> on 2016/04/14 13:53:25 UTC

[jira] [Commented] (KNOX-537) Linux PAM Authentication Provider

    [ https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241021#comment-15241021 ] 

Henning Kropp commented on KNOX-537:
------------------------------------

We just tested this with Vas/Quest in a multi domain environment with Knox 6.0 (adjusted the patch for 0.6). Works great!

Since we have multi-domain with only a one-way trust this is almost impossible to achieve with the current LDAP realm.

The configuration drastically is reduced to:
{code}
<param>
  <name>main.pamRealm</name>
  <value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
</param>
<param>
  <name>main.pamRealm.service</param>
  <value>system-auth</value>
</param>
{code}

One remark concerning the patch: I do like the fact that {{LdapRealm}} does wirte to gateway.log the compute roles. Could we add something to {{PamRealm}} as well? For example in {{doGetAuthorizationInfo}}?
{code}
ShiroLog.lookedUpUserRoles(roles, user.getName());
{code}

I fine if this is considered to be DEBUG only, but I would appreciate it being part of this patch.

Thanks


> Linux PAM Authentication Provider
> ---------------------------------
>
>                 Key: KNOX-537
>                 URL: https://issues.apache.org/jira/browse/KNOX-537
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.5.0, 0.6.0, 0.7.0
>         Environment: All
>            Reporter: Jeffrey E  Rodriguez
>            Assignee: Jeffrey E  Rodriguez
>              Labels: knox, pam
>             Fix For: Future
>
>         Attachments: 0001-knox-537-add-pam-authentication-support.patch
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and authorization.  For example, sssd provides support for manage Active Directory nested OU by adjusting ldap_group_nesting_level = 5.  Knox configuration is configured to interact with LDAP directly, but this has two short cominges.   First, hgh volume traffic is likely to make too many queries to AD without cache.  Second, complex logic of LDAP queries can not map correctly to UserDnTemplate without adding more ldap specific logic into JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to sssd.  It is possible to implement a shiro PAM plugin to reduce the complex LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license 
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)