AMBARI-18425: Support PAM as an authentication option for Ranger in Ambari (Shi Wang via mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/a10cc80b Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/a10cc80b Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/a10cc80b Branch: refs/heads/branch-dev-patch-upgrade Commit: a10cc80b3b75fa3bfa3d51d5e0382e1b56d61913 Parents: 74869f9 Author: Shi Wang <[email protected]> Authored: Thu Nov 17 13:03:38 2016 -0800 Committer: Mugdha Varadkar <[email protected]> Committed: Tue Nov 22 12:35:51 2016 +0530 ---------------------------------------------------------------------- .../0.4.0/package/scripts/setup_ranger_xml.py | 18 ++++++++++++++++ .../0.4.0/package/templates/ranger_admin_pam.j2 | 22 ++++++++++++++++++++ .../package/templates/ranger_remote_pam.j2 | 22 ++++++++++++++++++++ .../0.5.0/configuration/ranger-admin-site.xml | 2 +- ambari-web/app/data/HDP2.3/site_properties.js | 3 +++ 5 files changed, 66 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/a10cc80b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py index f1b4797..316d207 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py @@ -166,6 +166,24 @@ def setup_ranger_admin(upgrade_type=None): Link('/usr/bin/ranger-admin', to=format('{ranger_home}/ews/ranger-admin-services.sh')) + + if default("/configurations/ranger-admin-site/ranger.authentication.method", "") == 'PAM': + d = '/etc/pam.d' + if os.path.isdir(d): + File(format('{d}/ranger-admin'), + content=Template('ranger_admin_pam.j2'), + owner = params.unix_user, + group = params.unix_group, + mode=0644 + ) + File(format('{d}/ranger-remote'), + content=Template('ranger_remote_pam.j2'), + owner = params.unix_user, + group = params.unix_group, + mode=0644 + ) + else: + Logger.error("Unable to use PAM authentication, /etc/pam.d/ directory does not exist.") Execute(('ln','-sf', format('{ranger_home}/ews/ranger-admin-services.sh'),'/usr/bin/ranger-admin'), not_if=format("ls /usr/bin/ranger-admin"), http://git-wip-us.apache.org/repos/asf/ambari/blob/a10cc80b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2 new file mode 100644 index 0000000..d69ad6c --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2 @@ -0,0 +1,22 @@ +{# + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + #} +#%PAM-1.0 +auth sufficient pam_unix.so +auth sufficient pam_sss.so +account sufficient pam_unix.so +account sufficient pam_sss.so http://git-wip-us.apache.org/repos/asf/ambari/blob/a10cc80b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2 new file mode 100644 index 0000000..d69ad6c --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2 @@ -0,0 +1,22 @@ +{# + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + #} +#%PAM-1.0 +auth sufficient pam_unix.so +auth sufficient pam_sss.so +account sufficient pam_unix.so +account sufficient pam_sss.so http://git-wip-us.apache.org/repos/asf/ambari/blob/a10cc80b/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml b/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml index c0e537b..c52924c 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml +++ b/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml @@ -184,7 +184,7 @@ <name>ranger.authentication.method</name> <value>UNIX</value> <display-name>Authentication method</display-name> - <description>Ranger admin Authentication - UNIX/LDAP/AD/NONE</description> + <description>Ranger admin Authentication - UNIX/PAM/LDAP/AD/NONE</description> <value-attributes> <overridable>false</overridable> </value-attributes> http://git-wip-us.apache.org/repos/asf/ambari/blob/a10cc80b/ambari-web/app/data/HDP2.3/site_properties.js ---------------------------------------------------------------------- diff --git a/ambari-web/app/data/HDP2.3/site_properties.js b/ambari-web/app/data/HDP2.3/site_properties.js index 9ae68df..2dadd1b 100644 --- a/ambari-web/app/data/HDP2.3/site_properties.js +++ b/ambari-web/app/data/HDP2.3/site_properties.js @@ -105,6 +105,9 @@ hdp23properties.push({ foreignKeys: ['ranger.ldap.ad.domain','ranger.ldap.ad.url','ranger.ldap.ad.base.dn','ranger.ldap.ad.bind.dn','ranger.ldap.ad.bind.password','ranger.ldap.ad.referral','ranger.ldap.ad.user.searchfilter'] }, { + displayName: 'PAM' + }, + { displayName: 'UNIX', foreignKeys: ['ranger.unixauth.service.port', 'ranger.unixauth.service.hostname', 'ranger.unixauth.remote.login.enabled'] },
