ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shi Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
Date Tue, 15 Nov 2016 18:46:59 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667921#comment-15667921
] 

Shi Wang commented on AMBARI-18425:
-----------------------------------

This patch adds an authentication option "PAM" in ambari for ranger user login since RANGER-842
supports PAM authentication. How this patch works:
1.  If user select "PAM" from Ranger authentication method, during ranger service restart,
it will create two new pam file under either /etc/pam.d or /etc/pam.conf according to the
pam version on the operating system. And ranger-admin module will be used for ranger PAM authentication,
ranger-remote module is for remote user login.
2. By default, the setting in these two PAM file is:
auth    sufficient        pam_unix.so
auth    sufficient        pam_sss.so
account sufficient        pam_unix.so
account sufficient        pam_sss.so
This default setting will allow user authenticate either against unix or sssd, sssd could
be configured with different backends such as ldap, AD, FreeAPI... User could also configure
the pam file as needed by directly modifying the pam file.
3. One thing needs to be pointed out is if using pam_unix.so module, ranger-admin must be
started as root user, because it will look up password in /etc/show file and it is only readable
by root. 


> Support PAM as an authentication option for Ranger in Ambari
> ------------------------------------------------------------
>
>                 Key: AMBARI-18425
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18425
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server, ambari-web
>    Affects Versions: trunk
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>              Labels: security
>             Fix For: trunk
>
>         Attachments: 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch
>
>
> Ranger-842 has added PAM support for ranger, we need to add this part to ambari, to do
automatic setup for ranger to use PAM authentication.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message