You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by Tanping Wang <ta...@gmail.com> on 2015/07/14 21:09:24 UTC
Can Knox Work without LDAP -- Adding PAM Module into Knox
Hi, folks,
Today Knox can not work without LDAP. For demo purpose that we would like
to demonstrate that Knox can work with simple authentication, for example,
base Unix OS authentication. I believe this is not possible today? Please
correct me if I am wrong. We are working on adding a PAM module to Knox's
shiro framework, so that Knox can
1) authenticate against base Unix OS -- for demo purpose only
2) more importantly, nested OU would work for LDAP.
Regards,
Tanping
Re: Can Knox Work without LDAP -- Adding PAM Module into Knox
Posted by larry mccay <la...@gmail.com>.
Nice!
I look forward to seeing this!
On Tue, Jul 14, 2015 at 3:47 PM, Kevin Minder <ke...@hortonworks.com>
wrote:
> Excellent. I look forward to this valuable contribution to Knox.
>
>
>
>
> On 7/14/15, 3:41 PM, "Jeffrey Rodriguez" <je...@gmail.com> wrote:
>
> >I have implemented PAM authentication based on shiro-libpam4j and it is
> >integrated with Knox 0.6.0 to do OS authentication, as soon as I finish
> >testing with LDAP using PAM I will post the design, document and a patch.
> >
> >On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <
> kevin.minder@hortonworks.com
> >> wrote:
> >
> >> Hi,
> >>
> >> We would be very interested in a PAM module for Knox. Did some quick
> >> searching and found this: https://github.com/plaflamme/shiro-libpam4j
> >>
> >> We have done some experimentation with very simple demo setups with
> >> credentials directly in topology files but decided against promoting it.
> >> If this were something you were interested in I could re-figure this
> out.
> >>
> >> We've also been looking into buji-pac4j for several other authentication
> >> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that
> >> they aren’t really targeting at active profile REST API use as far as we
> >> have been able to determine.
> >>
> >> Kevin.
> >>
> >>
> >>
> >> On 7/14/15, 3:09 PM, "Tanping Wang" <ta...@gmail.com> wrote:
> >>
> >> >Hi, folks,
> >> >Today Knox can not work without LDAP. For demo purpose that we would
> like
> >> >to demonstrate that Knox can work with simple authentication, for
> example,
> >> >base Unix OS authentication. I believe this is not possible today?
> >> Please
> >> >correct me if I am wrong. We are working on adding a PAM module to
> Knox's
> >> >shiro framework, so that Knox can
> >> >1) authenticate against base Unix OS -- for demo purpose only
> >> >2) more importantly, nested OU would work for LDAP.
> >> >
> >> >Regards,
> >> >Tanping
> >>
>
Re: Can Knox Work without LDAP -- Adding PAM Module into Knox
Posted by Kevin Minder <ke...@hortonworks.com>.
Excellent. I look forward to this valuable contribution to Knox.
On 7/14/15, 3:41 PM, "Jeffrey Rodriguez" <je...@gmail.com> wrote:
>I have implemented PAM authentication based on shiro-libpam4j and it is
>integrated with Knox 0.6.0 to do OS authentication, as soon as I finish
>testing with LDAP using PAM I will post the design, document and a patch.
>
>On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <kevin.minder@hortonworks.com
>> wrote:
>
>> Hi,
>>
>> We would be very interested in a PAM module for Knox. Did some quick
>> searching and found this: https://github.com/plaflamme/shiro-libpam4j
>>
>> We have done some experimentation with very simple demo setups with
>> credentials directly in topology files but decided against promoting it.
>> If this were something you were interested in I could re-figure this out.
>>
>> We've also been looking into buji-pac4j for several other authentication
>> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that
>> they aren’t really targeting at active profile REST API use as far as we
>> have been able to determine.
>>
>> Kevin.
>>
>>
>>
>> On 7/14/15, 3:09 PM, "Tanping Wang" <ta...@gmail.com> wrote:
>>
>> >Hi, folks,
>> >Today Knox can not work without LDAP. For demo purpose that we would like
>> >to demonstrate that Knox can work with simple authentication, for example,
>> >base Unix OS authentication. I believe this is not possible today?
>> Please
>> >correct me if I am wrong. We are working on adding a PAM module to Knox's
>> >shiro framework, so that Knox can
>> >1) authenticate against base Unix OS -- for demo purpose only
>> >2) more importantly, nested OU would work for LDAP.
>> >
>> >Regards,
>> >Tanping
>>
Re: Can Knox Work without LDAP -- Adding PAM Module into Knox
Posted by Jeffrey Rodriguez <je...@gmail.com>.
I have implemented PAM authentication based on shiro-libpam4j and it is
integrated with Knox 0.6.0 to do OS authentication, as soon as I finish
testing with LDAP using PAM I will post the design, document and a patch.
On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <kevin.minder@hortonworks.com
> wrote:
> Hi,
>
> We would be very interested in a PAM module for Knox. Did some quick
> searching and found this: https://github.com/plaflamme/shiro-libpam4j
>
> We have done some experimentation with very simple demo setups with
> credentials directly in topology files but decided against promoting it.
> If this were something you were interested in I could re-figure this out.
>
> We've also been looking into buji-pac4j for several other authentication
> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that
> they aren’t really targeting at active profile REST API use as far as we
> have been able to determine.
>
> Kevin.
>
>
>
> On 7/14/15, 3:09 PM, "Tanping Wang" <ta...@gmail.com> wrote:
>
> >Hi, folks,
> >Today Knox can not work without LDAP. For demo purpose that we would like
> >to demonstrate that Knox can work with simple authentication, for example,
> >base Unix OS authentication. I believe this is not possible today?
> Please
> >correct me if I am wrong. We are working on adding a PAM module to Knox's
> >shiro framework, so that Knox can
> >1) authenticate against base Unix OS -- for demo purpose only
> >2) more importantly, nested OU would work for LDAP.
> >
> >Regards,
> >Tanping
>
Re: Can Knox Work without LDAP -- Adding PAM Module into Knox
Posted by Jeffrey Rodriguez <je...@gmail.com>.
Thanks Tanping, I am happy to see you also agree with that.
Regards,
Jeff
On Tue, Jul 14, 2015 at 10:22 PM, Tanping Wang <ta...@gmail.com> wrote:
> It seems that we all agree that PAM support for Knox. is very valuable to
> have. Just created the JIRA:
> https://issues.apache.org/jira/browse/KNOX-568
>
> Jeff,
> Please upload the design and patch for the Knox community to review.
> Please make sure to add unit test.
>
> Regards,
> Tanping
>
> On Tue, Jul 14, 2015 at 10:13 PM, Tanping Wang <ta...@gmail.com> wrote:
>
> > Hi, Kevin,
> > The PAM module implementation request was customer driven. We had
> > customer requests on using LDAP with nest OU. We also had requests from
> > the field that they do not want to Knox authentication to work against
> > LDAP. One of the reasons being that the SSL cert generated by Knox is
> > self-signed and we are having issues, for example, with the weak DH
> cipher
> > key problems starting on Firefox. So our thought was that if this is
> just
> > for demo purpose anyway, we could just use the base OS to authenticate
> once
> > PAM module is supported. With the PAM module implementation, we can have
> > both:
> > 1) LDAP nested OU support
> > 2) Simple authentication based on base Unix.
> >
> > Kevin, to answer your question: I think we are good for now without set
> > up credentials directly on the topology files for demo purpose. Would
> like
> > to hear your opinions too.
> >
> > Regards,
> > Tanping
> >
> > On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <
> > kevin.minder@hortonworks.com> wrote:
> >
> >> Hi,
> >>
> >> We would be very interested in a PAM module for Knox. Did some quick
> >> searching and found this: https://github.com/plaflamme/shiro-libpam4j
> >>
> >> We have done some experimentation with very simple demo setups with
> >> credentials directly in topology files but decided against promoting it.
> >> If this were something you were interested in I could re-figure this
> out.
> >>
> >> We've also been looking into buji-pac4j for several other authentication
> >> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that
> >> they aren’t really targeting at active profile REST API use as far as we
> >> have been able to determine.
> >>
> >> Kevin.
> >>
> >>
> >>
> >> On 7/14/15, 3:09 PM, "Tanping Wang" <ta...@gmail.com> wrote:
> >>
> >> >Hi, folks,
> >> >Today Knox can not work without LDAP. For demo purpose that we would
> >> like
> >> >to demonstrate that Knox can work with simple authentication, for
> >> example,
> >> >base Unix OS authentication. I believe this is not possible today?
> >> Please
> >> >correct me if I am wrong. We are working on adding a PAM module to
> >> Knox's
> >> >shiro framework, so that Knox can
> >> >1) authenticate against base Unix OS -- for demo purpose only
> >> >2) more importantly, nested OU would work for LDAP.
> >> >
> >> >Regards,
> >> >Tanping
> >>
> >
> >
>
Re: Can Knox Work without LDAP -- Adding PAM Module into Knox
Posted by Tanping Wang <ta...@gmail.com>.
It seems that we all agree that PAM support for Knox. is very valuable to
have. Just created the JIRA:
https://issues.apache.org/jira/browse/KNOX-568
Jeff,
Please upload the design and patch for the Knox community to review.
Please make sure to add unit test.
Regards,
Tanping
On Tue, Jul 14, 2015 at 10:13 PM, Tanping Wang <ta...@gmail.com> wrote:
> Hi, Kevin,
> The PAM module implementation request was customer driven. We had
> customer requests on using LDAP with nest OU. We also had requests from
> the field that they do not want to Knox authentication to work against
> LDAP. One of the reasons being that the SSL cert generated by Knox is
> self-signed and we are having issues, for example, with the weak DH cipher
> key problems starting on Firefox. So our thought was that if this is just
> for demo purpose anyway, we could just use the base OS to authenticate once
> PAM module is supported. With the PAM module implementation, we can have
> both:
> 1) LDAP nested OU support
> 2) Simple authentication based on base Unix.
>
> Kevin, to answer your question: I think we are good for now without set
> up credentials directly on the topology files for demo purpose. Would like
> to hear your opinions too.
>
> Regards,
> Tanping
>
> On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <
> kevin.minder@hortonworks.com> wrote:
>
>> Hi,
>>
>> We would be very interested in a PAM module for Knox. Did some quick
>> searching and found this: https://github.com/plaflamme/shiro-libpam4j
>>
>> We have done some experimentation with very simple demo setups with
>> credentials directly in topology files but decided against promoting it.
>> If this were something you were interested in I could re-figure this out.
>>
>> We've also been looking into buji-pac4j for several other authentication
>> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that
>> they aren’t really targeting at active profile REST API use as far as we
>> have been able to determine.
>>
>> Kevin.
>>
>>
>>
>> On 7/14/15, 3:09 PM, "Tanping Wang" <ta...@gmail.com> wrote:
>>
>> >Hi, folks,
>> >Today Knox can not work without LDAP. For demo purpose that we would
>> like
>> >to demonstrate that Knox can work with simple authentication, for
>> example,
>> >base Unix OS authentication. I believe this is not possible today?
>> Please
>> >correct me if I am wrong. We are working on adding a PAM module to
>> Knox's
>> >shiro framework, so that Knox can
>> >1) authenticate against base Unix OS -- for demo purpose only
>> >2) more importantly, nested OU would work for LDAP.
>> >
>> >Regards,
>> >Tanping
>>
>
>
Re: Can Knox Work without LDAP -- Adding PAM Module into Knox
Posted by Tanping Wang <ta...@gmail.com>.
Hi, Kevin,
The PAM module implementation request was customer driven. We had customer
requests on using LDAP with nest OU. We also had requests from the field
that they do not want to Knox authentication to work against LDAP. One of
the reasons being that the SSL cert generated by Knox is self-signed and we
are having issues, for example, with the weak DH cipher key problems
starting on Firefox. So our thought was that if this is just for demo
purpose anyway, we could just use the base OS to authenticate once PAM
module is supported. With the PAM module implementation, we can have both:
1) LDAP nested OU support
2) Simple authentication based on base Unix.
Kevin, to answer your question: I think we are good for now without set up
credentials directly on the topology files for demo purpose. Would like to
hear your opinions too.
Regards,
Tanping
On Tue, Jul 14, 2015 at 12:25 PM, Kevin Minder <kevin.minder@hortonworks.com
> wrote:
> Hi,
>
> We would be very interested in a PAM module for Knox. Did some quick
> searching and found this: https://github.com/plaflamme/shiro-libpam4j
>
> We have done some experimentation with very simple demo setups with
> credentials directly in topology files but decided against promoting it.
> If this were something you were interested in I could re-figure this out.
>
> We've also been looking into buji-pac4j for several other authentication
> models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that
> they aren’t really targeting at active profile REST API use as far as we
> have been able to determine.
>
> Kevin.
>
>
>
> On 7/14/15, 3:09 PM, "Tanping Wang" <ta...@gmail.com> wrote:
>
> >Hi, folks,
> >Today Knox can not work without LDAP. For demo purpose that we would like
> >to demonstrate that Knox can work with simple authentication, for example,
> >base Unix OS authentication. I believe this is not possible today?
> Please
> >correct me if I am wrong. We are working on adding a PAM module to Knox's
> >shiro framework, so that Knox can
> >1) authenticate against base Unix OS -- for demo purpose only
> >2) more importantly, nested OU would work for LDAP.
> >
> >Regards,
> >Tanping
>
Re: Can Knox Work without LDAP -- Adding PAM Module into Knox
Posted by Kevin Minder <ke...@hortonworks.com>.
Hi,
We would be very interested in a PAM module for Knox. Did some quick searching and found this: https://github.com/plaflamme/shiro-libpam4j
We have done some experimentation with very simple demo setups with credentials directly in topology files but decided against promoting it. If this were something you were interested in I could re-figure this out.
We've also been looking into buji-pac4j for several other authentication models (e.g. OAuth, CAS, OpenID, SAML, etc). The limiting issue is that they aren’t really targeting at active profile REST API use as far as we have been able to determine.
Kevin.
On 7/14/15, 3:09 PM, "Tanping Wang" <ta...@gmail.com> wrote:
>Hi, folks,
>Today Knox can not work without LDAP. For demo purpose that we would like
>to demonstrate that Knox can work with simple authentication, for example,
>base Unix OS authentication. I believe this is not possible today? Please
>correct me if I am wrong. We are working on adding a PAM module to Knox's
>shiro framework, so that Knox can
>1) authenticate against base Unix OS -- for demo purpose only
>2) more importantly, nested OU would work for LDAP.
>
>Regards,
>Tanping