You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Kevin Minder (JIRA)" <ji...@apache.org> on 2016/01/13 22:18:39 UTC
[jira] [Comment Edited] (KNOX-537) Linux PAM Authentication
Provider
[ https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097001#comment-15097001 ]
Kevin Minder edited comment on KNOX-537 at 1/13/16 9:18 PM:
------------------------------------------------------------
* home/conf/*
** I think these should be moved to either gateway-release/home/samples/pam or gateway-release/home/templates/pam whichever is more appropriate. Keep in mind that we have trouble articulating the difference between the two. In general however samples is intended to be more instructive and templates more real world fill in the blank an use.
** This statement "Requirements: Requires /etc/shadow be made readable by the user executing java" concerns me. I would imagine admins would be reluctant to do this.
* gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
** 22-23: Unused imports
** 35: Remove whitespace
** 65: Typo 'subsytem'
** 83: Unused static LOG. Remove the import too if possible.
** 126-127: Combine these into a single log line.
* gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java
** This doesn't really test anything
* gateway-provider-security-shiro
** 76: Do not specify the version here. That should only be done in the root pom to ensure version consistency.
* gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
** 20-25: Unused imports.
** 71: Remove the extraneous cast.
** 98: Remove the extraneous cast.
** 115: Should this check for a particular principal type?
** Something seems wrong here. If the shiroSubject.getPrincipals().asSet() contains the primary principal won't that end up in the userGroups anyway? Can you explain why you needed to add this code path. cc [~lmccay@apache.org]
* gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/UnixUserPrincipal.java
** Is this really a UnixPrincipal or a PamPrincipal? For example if you use knox-pam-winbind-*
** 22: Unused import
service isn't this a "windows" user?
** 43: Whay the String.valueOf()?
was (Author: kminder):
* home/conf/*
** I think these should be moved to either gateway-release/home/samples/pam or gateway-release/home/templates/pam whichever is more appropriate. Keep in mind that we have trouble articulating the difference between the two. In general however samples is intended to be more instructive and templates more real world fill in the blank an use.
** This statement "Requirements: Requires /etc/shadow be made readable by the user executing java" concerns me. I would imagine admins would be reluctant to do this.
* gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
** 22-23: Unused imports
** 35: Remove whitespace
** 65: Typo 'subsytem'
** 83: Unused static LOG. Remove the import too if possible.
** 126-127: Combine these into a single log line.
* gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java
** This doesn't really test anything
* gateway-provider-security-shiro
** 76: Do not specify the version here. That should only be done in the root pom to ensure version consistency.
* gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
** 20-25: Unused imports.
** 71: Remove the extraneous cast.
** 98: Remove the extraneous cast.
** 115: Should this check for a particular principal type?
** Something seems wrong here. If the shiroSubject.getPrincipals().asSet() contains the primary principal won't that end up in the userGroups anyway? Can you explain why you needed to add this code path. cc [~lmccay@apache.org]
* gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/UnixUserPrincipal.java
** Is this really a UnixPrincipal or a PamPrincipal? For example if you use knox-pam-winbind-* ** 22: Unused import
service isn't this a "windows" user?
** 43: Whay the String.valueOf()?
> Linux PAM Authentication Provider
> ---------------------------------
>
> Key: KNOX-537
> URL: https://issues.apache.org/jira/browse/KNOX-537
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.5.0, 0.6.0, 0.7.0
> Environment: All
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Labels: knox, pam
> Fix For: 0.8.0
>
> Attachments: 0001-knox-537-add-pam-authentication-support.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and authorization. For example, sssd provides support for manage Active Directory nested OU by adjusting ldap_group_nesting_level = 5. Knox configuration is configured to interact with LDAP directly, but this has two short cominges. First, hgh volume traffic is likely to make too many queries to AD without cache. Second, complex logic of LDAP queries can not map correctly to UserDnTemplate without adding more ldap specific logic into JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to sssd. It is possible to implement a shiro PAM plugin to reduce the complex LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)