ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shi Wang (JIRA)" <>
Subject [jira] [Commented] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
Date Tue, 15 Nov 2016 18:46:59 GMT


Shi Wang commented on AMBARI-18425:

This patch adds an authentication option "PAM" in ambari for ranger user login since RANGER-842
supports PAM authentication. How this patch works:
1.  If user select "PAM" from Ranger authentication method, during ranger service restart,
it will create two new pam file under either /etc/pam.d or /etc/pam.conf according to the
pam version on the operating system. And ranger-admin module will be used for ranger PAM authentication,
ranger-remote module is for remote user login.
2. By default, the setting in these two PAM file is:
auth    sufficient
auth    sufficient
account sufficient
account sufficient
This default setting will allow user authenticate either against unix or sssd, sssd could
be configured with different backends such as ldap, AD, FreeAPI... User could also configure
the pam file as needed by directly modifying the pam file.
3. One thing needs to be pointed out is if using module, ranger-admin must be
started as root user, because it will look up password in /etc/show file and it is only readable
by root. 

> Support PAM as an authentication option for Ranger in Ambari
> ------------------------------------------------------------
>                 Key: AMBARI-18425
>                 URL:
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server, ambari-web
>    Affects Versions: trunk
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>              Labels: security
>             Fix For: trunk
>         Attachments: 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch
> Ranger-842 has added PAM support for ranger, we need to add this part to ambari, to do
automatic setup for ranger to use PAM authentication.

This message was sent by Atlassian JIRA

View raw message