You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Bolke de Bruin <bd...@gmail.com> on 2016/02/15 22:01:54 UTC
Review Request 43584: allow to use PAM for authentication
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43584/
-----------------------------------------------------------
Review request for ranger.
Bugs: RANGER-842
https://issues.apache.org/jira/browse/RANGER-842
Repository: ranger
Description
-------
Per jira issue RANGER-842 this patch allows to use PAM for authentication. Next to that is changes the standard "/etc/passwd" remote authentication to PAM. It continous to build on RANGER-827.
Why
/etc/passwd and /etc/group do not necessarily expose all users on Linux or any modern unix. Authentication and authorization are normally arranged by PAM. Also OS auditing is hard without using PAM.
Licenses
* the jaas implementation was a straight port from https://github.com/dirk-olmes/jaas-pam/ which is MIT licensed (https://github.com/dirk-olmes/jaas-pam/blob/master/LICENSE.txt)
* libpam4j which is used by the jaas implementation is also MIT licensed (https://github.com/kohsuke/libpam4j)
Implementation & usage
* Implementation was done for JAAS and Remote (C)
* For remote authentication it is now needed to have the pam headers and libraries installed (not available currently with rangerqa)
* For remote authentication a /etc/pamd.d/ranger-remote config file is required. This is hardcoded in the C file. This file needs to exist otherwise authentication will fail.
* For local authentication the property "ranger.pam.service" can be configured. It defaults to "ranger-admin" and thus refers to /etc/pam.d/ranger-admin by default. This file needs to exist otherwise authentication will fail
* To enable PAM authentication set ranger.authentication.method to PAM.
Diffs
-----
NOTICE.txt 94b1118
pom.xml 3835fb4
security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java cfdd9bc
unixauthclient/pom.xml bf7508b
unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java PRE-CREATION
unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java PRE-CREATION
unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UsernamePasswordCallbackHandler.java PRE-CREATION
unixauthnative/pom.xml 3625b94
unixauthnative/src/main/c/credValidator.c d706a93
Diff: https://reviews.apache.org/r/43584/diff/
Testing
-------
Installed on test cluster using SSSD as a nss backend. User logged in with PAM credentials.
Thanks,
Bolke de Bruin