You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Bolke de Bruin <bd...@gmail.com> on 2016/02/15 22:01:54 UTC

Review Request 43584: allow to use PAM for authentication

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43584/
-----------------------------------------------------------

Review request for ranger.


Bugs: RANGER-842
    https://issues.apache.org/jira/browse/RANGER-842


Repository: ranger


Description
-------

Per jira issue RANGER-842 this patch allows to use PAM for authentication. Next to that is changes the standard "/etc/passwd" remote authentication to PAM. It continous to build on RANGER-827.

Why
/etc/passwd and /etc/group do not necessarily expose all users on Linux or any modern unix. Authentication and authorization are normally arranged by PAM. Also OS auditing is hard without using PAM.

Licenses
* the jaas implementation was a straight port from https://github.com/dirk-olmes/jaas-pam/ which is MIT licensed (https://github.com/dirk-olmes/jaas-pam/blob/master/LICENSE.txt)
* libpam4j which is used by the jaas implementation is also MIT licensed (https://github.com/kohsuke/libpam4j)

Implementation & usage
* Implementation was done for JAAS and Remote (C)
* For remote authentication it is now needed to have the pam headers and libraries installed (not available currently with rangerqa)
* For remote authentication a /etc/pamd.d/ranger-remote config file is required. This is hardcoded in the C file. This file needs to exist otherwise authentication will fail.
* For local authentication the property "ranger.pam.service" can be configured. It defaults to "ranger-admin" and thus refers to /etc/pam.d/ranger-admin by default. This file needs to exist otherwise authentication will fail
* To enable PAM authentication set ranger.authentication.method to PAM.


Diffs
-----

  NOTICE.txt 94b1118 
  pom.xml 3835fb4 
  security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java cfdd9bc 
  unixauthclient/pom.xml bf7508b 
  unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java PRE-CREATION 
  unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java PRE-CREATION 
  unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UsernamePasswordCallbackHandler.java PRE-CREATION 
  unixauthnative/pom.xml 3625b94 
  unixauthnative/src/main/c/credValidator.c d706a93 

Diff: https://reviews.apache.org/r/43584/diff/


Testing
-------

Installed on test cluster using SSSD as a nss backend. User logged in with PAM credentials.


Thanks,

Bolke de Bruin