[atlas] branch branch-2.0 updated: ATLAS-1866 :- Documentation for PAM type authentication and better logging for PAM auth

Fri, 13 Mar 2020 00:52:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

nixon pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/atlas.git


The following commit(s) were added to refs/heads/branch-2.0 by this push:
     new 6202f48  ATLAS-1866 :- Documentation for PAM type authentication and 
better logging for PAM auth
6202f48 is described below

commit 6202f48cdc56bb9be112ebc29334b2c915e75b6a
Author: nixonrodrigues <[email protected]>
AuthorDate: Fri Mar 13 12:39:27 2020 +0530

    ATLAS-1866 :- Documentation for PAM type authentication and better logging 
for PAM auth
    
    (cherry picked from commit 2e69f922364285eda332b2da208ce1adb7fa8281)
---
 docs/src/documents/Security/Authentication.md      | 24 ++++++++++++++++++++++
 .../AtlasAbstractAuthenticationProvider.java       |  3 ++-
 .../security/AtlasPamAuthenticationProvider.java   | 19 ++++++++++++++++-
 .../apache/atlas/web/security/PamLoginModule.java  | 10 ++++++++-
 4 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/docs/src/documents/Security/Authentication.md 
b/docs/src/documents/Security/Authentication.md
index 2097820..c8245d0 100644
--- a/docs/src/documents/Security/Authentication.md
+++ b/docs/src/documents/Security/Authentication.md
@@ -20,6 +20,7 @@ Atlas supports following authentication methods
    * **Kerberos**
    * **LDAP**
    * **Keycloak (OpenID Connect / OAUTH2)**
+   * **PAM**
 
 
 Following properties should be set true to enable the authentication of that 
type in `atlas-application.properties` file.
@@ -153,3 +154,26 @@ Setup you keycloak.json per instructions from Keycloak. 
Make sure to include `"p
   "autodetect-bearer-only": true
 }`}
  </SyntaxHighlighter>
+
+ ### PAM.
+
+The prerequisite for enabling PAM authentication, is to have login service 
file in */etc/pam.d/*
+
+To enable the PAM authentication mode in Atlas.
+
+* Set the atlas property `atlas.authentication.method.pam` to true in 
`atlas-application.properties`.
+
+<SyntaxHighlighter wrapLines={true} language="shell" style={theme.dark}>
+{
+`atlas.authentication.method.pam=true`
+}
+</SyntaxHighlighter>
+
+* Set the property `atlas.authentication.method.pam.service=<login service>` 
to use desired PAM login service.
+  For example, set below property to use `/etc/pam.d/login`.
+
+<SyntaxHighlighter wrapLines={true} language="shell" style={theme.dark}>
+{
+ `atlas.authentication.method.pam.service=login`
+}
+</SyntaxHighlighter>
diff --git 
a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
 
b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
index d4f9a0f..545a071 100644
--- 
a/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
+++ 
b/webapp/src/main/java/org/apache/atlas/web/security/AtlasAbstractAuthenticationProvider.java
@@ -37,6 +37,7 @@ import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.Arrays;
 
 import org.apache.atlas.utils.AuthenticationUtil;
 
@@ -106,7 +107,7 @@ public abstract class AtlasAbstractAuthenticationProvider 
implements Authenticat
             String[] groups = ugi.getGroupNames();
 
             if(LOG.isDebugEnabled()) {
-                LOG.debug("UserGroupInformation userGroups=" + groups);
+                LOG.debug("UserGroupInformation userGroups=" + 
Arrays.toString(groups));
             }
 
             if (groups != null) {
diff --git 
a/webapp/src/main/java/org/apache/atlas/web/security/AtlasPamAuthenticationProvider.java
 
b/webapp/src/main/java/org/apache/atlas/web/security/AtlasPamAuthenticationProvider.java
index 9a5a183..0edd898 100644
--- 
a/webapp/src/main/java/org/apache/atlas/web/security/AtlasPamAuthenticationProvider.java
+++ 
b/webapp/src/main/java/org/apache/atlas/web/security/AtlasPamAuthenticationProvider.java
@@ -110,7 +110,7 @@ public class AtlasPamAuthenticationProvider extends 
AtlasAbstractAuthenticationP
             LOG.debug("Pam Authentication Failed:", e);
         }
         if (isDebugEnabled) {
-            LOG.debug("<== AtlasPamAuthenticationProvider 
getPamAuthentication");
+            LOG.debug("<== AtlasPamAuthenticationProvider getPamAuthentication 
: " + jaasAuthenticationProvider);
         }
         return authentication;
     }
@@ -127,6 +127,13 @@ public class AtlasPamAuthenticationProvider extends 
AtlasAbstractAuthenticationP
             if (!options.containsKey("service")) {
                 options.put("service", "atlas-login");
             }
+
+            if(LOG.isDebugEnabled()) {
+                LOG.debug("AtlasPAMAuthenticationProvider{groupsFromUGI= "+ 
groupsFromUGI +'\'' +
+                        ", options=" + options +
+                         '}');
+            }
+
         } catch (Exception e) {
             LOG.error("Exception while setLdapProperties", e);
         }
@@ -148,6 +155,16 @@ public class AtlasPamAuthenticationProvider extends 
AtlasAbstractAuthenticationP
             UserAuthorityGranter[] authorityGranters = new 
UserAuthorityGranter[]{authorityGranter};
             jaasAuthenticationProvider.setAuthorityGranters(authorityGranters);
             jaasAuthenticationProvider.afterPropertiesSet();
+
+            if(LOG.isDebugEnabled()) {
+                LOG.debug("AtlasPAMAuthenticationProvider{" +
+                        "jaasAuthenticationProvider='" + 
jaasAuthenticationProvider + '\'' +
+                        ", loginModuleName='" + loginModuleName + '\'' +
+                        ", controlFlag='" + controlFlag + '\'' +
+                        ", options='" + options + '}');
+            }
+
+
         } catch (Exception e) {
             LOG.error("Failed to init PAM Authentication", e);
         }
diff --git 
a/webapp/src/main/java/org/apache/atlas/web/security/PamLoginModule.java 
b/webapp/src/main/java/org/apache/atlas/web/security/PamLoginModule.java
index 802f6f1..19ffc06 100644
--- a/webapp/src/main/java/org/apache/atlas/web/security/PamLoginModule.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/PamLoginModule.java
@@ -22,7 +22,8 @@ package org.apache.atlas.web.security;
 import org.jvnet.libpam.PAM;
 import org.jvnet.libpam.PAMException;
 import org.jvnet.libpam.UnixUser;
-
+import org.slf4j.LoggerFactory;
+import org.slf4j.Logger;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.*;
 import javax.security.auth.login.FailedLoginException;
@@ -35,6 +36,8 @@ import java.util.Map;
 import java.util.Set;
 
 public class PamLoginModule extends Object implements LoginModule {
+    private static final Logger LOG = 
LoggerFactory.getLogger(PamLoginModule.class);
+
     public static final String SERVICE_KEY = "service";
 
     private PAM pam;
@@ -110,6 +113,9 @@ public class PamLoginModule extends Object implements 
LoginModule {
 
             initUserName(nameCallback);
             initPassword(passwordCallback);
+
+            if (LOG.isDebugEnabled())
+                LOG.debug("Searching for user " + nameCallback.getName());
         }
         catch (IOException | UnsupportedCallbackException ex)
         {
@@ -150,6 +156,8 @@ public class PamLoginModule extends Object implements 
LoginModule {
             principal = new PamPrincipal(user);
             authSucceeded = true;
 
+            if (LOG.isDebugEnabled())
+                LOG.debug("user " + username );
             return true;
         }
         catch (PAMException ex)

Reply via email to