ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bolke de Bruin <bdbr...@gmail.com>
Subject Review Request 43584: allow to use PAM for authentication
Date Mon, 15 Feb 2016 21:01:54 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43584/
-----------------------------------------------------------

Review request for ranger.


Bugs: RANGER-842
    https://issues.apache.org/jira/browse/RANGER-842


Repository: ranger


Description
-------

Per jira issue RANGER-842 this patch allows to use PAM for authentication. Next to that is
changes the standard "/etc/passwd" remote authentication to PAM. It continous to build on
RANGER-827.

Why
/etc/passwd and /etc/group do not necessarily expose all users on Linux or any modern unix.
Authentication and authorization are normally arranged by PAM. Also OS auditing is hard without
using PAM.

Licenses
* the jaas implementation was a straight port from https://github.com/dirk-olmes/jaas-pam/
which is MIT licensed (https://github.com/dirk-olmes/jaas-pam/blob/master/LICENSE.txt)
* libpam4j which is used by the jaas implementation is also MIT licensed (https://github.com/kohsuke/libpam4j)

Implementation & usage
* Implementation was done for JAAS and Remote (C)
* For remote authentication it is now needed to have the pam headers and libraries installed
(not available currently with rangerqa)
* For remote authentication a /etc/pamd.d/ranger-remote config file is required. This is hardcoded
in the C file. This file needs to exist otherwise authentication will fail.
* For local authentication the property "ranger.pam.service" can be configured. It defaults
to "ranger-admin" and thus refers to /etc/pam.d/ranger-admin by default. This file needs to
exist otherwise authentication will fail
* To enable PAM authentication set ranger.authentication.method to PAM.


Diffs
-----

  NOTICE.txt 94b1118 
  pom.xml 3835fb4 
  security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
cfdd9bc 
  unixauthclient/pom.xml bf7508b 
  unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
PRE-CREATION 
  unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java
PRE-CREATION 
  unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UsernamePasswordCallbackHandler.java
PRE-CREATION 
  unixauthnative/pom.xml 3625b94 
  unixauthnative/src/main/c/credValidator.c d706a93 

Diff: https://reviews.apache.org/r/43584/diff/


Testing
-------

Installed on test cluster using SSSD as a nss backend. User logged in with PAM credentials.


Thanks,

Bolke de Bruin


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message