[
https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097001#comment-15097001
]
Kevin Minder edited comment on KNOX-537 at 1/13/16 9:18 PM:
------------------------------------------------------------
* home/conf/*
** I think these should be moved to either gateway-release/home/samples/pam or
gateway-release/home/templates/pam whichever is more appropriate. Keep in mind
that we have trouble articulating the difference between the two. In general
however samples is intended to be more instructive and templates more real
world fill in the blank an use.
** This statement "Requirements: Requires /etc/shadow be made readable by the
user executing java" concerns me. I would imagine admins would be reluctant to
do this.
*
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
** 22-23: Unused imports
** 35: Remove whitespace
** 65: Typo 'subsytem'
** 83: Unused static LOG. Remove the import too if possible.
** 126-127: Combine these into a single log line.
*
gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java
** This doesn't really test anything
* gateway-provider-security-shiro
** 76: Do not specify the version here. That should only be done in the root
pom to ensure version consistency.
*
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
** 20-25: Unused imports.
** 71: Remove the extraneous cast.
** 98: Remove the extraneous cast.
** 115: Should this check for a particular principal type?
** Something seems wrong here. If the shiroSubject.getPrincipals().asSet()
contains the primary principal won't that end up in the userGroups anyway? Can
you explain why you needed to add this code path. cc [[email protected]]
*
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/UnixUserPrincipal.java
** Is this really a UnixPrincipal or a PamPrincipal? For example if you use
knox-pam-winbind-*
** 22: Unused import
service isn't this a "windows" user?
** 43: Whay the String.valueOf()?
was (Author: kminder):
* home/conf/*
** I think these should be moved to either gateway-release/home/samples/pam or
gateway-release/home/templates/pam whichever is more appropriate. Keep in mind
that we have trouble articulating the difference between the two. In general
however samples is intended to be more instructive and templates more real
world fill in the blank an use.
** This statement "Requirements: Requires /etc/shadow be made readable by the
user executing java" concerns me. I would imagine admins would be reluctant to
do this.
*
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealm.java
** 22-23: Unused imports
** 35: Remove whitespace
** 65: Typo 'subsytem'
** 83: Unused static LOG. Remove the import too if possible.
** 126-127: Combine these into a single log line.
*
gateway-provider-security-shiro/src/test/java/org/apache/hadoop/gateway/shirorealm/KnoxPamRealmTest.java
** This doesn't really test anything
* gateway-provider-security-shiro
** 76: Do not specify the version here. That should only be done in the root
pom to ensure version consistency.
*
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
** 20-25: Unused imports.
** 71: Remove the extraneous cast.
** 98: Remove the extraneous cast.
** 115: Should this check for a particular principal type?
** Something seems wrong here. If the shiroSubject.getPrincipals().asSet()
contains the primary principal won't that end up in the userGroups anyway? Can
you explain why you needed to add this code path. cc [[email protected]]
*
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/shirorealm/UnixUserPrincipal.java
** Is this really a UnixPrincipal or a PamPrincipal? For example if you use
knox-pam-winbind-* ** 22: Unused import
service isn't this a "windows" user?
** 43: Whay the String.valueOf()?
> Linux PAM Authentication Provider
> ---------------------------------
>
> Key: KNOX-537
> URL: https://issues.apache.org/jira/browse/KNOX-537
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.5.0, 0.6.0, 0.7.0
> Environment: All
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Labels: knox, pam
> Fix For: 0.8.0
>
> Attachments: 0001-knox-537-add-pam-authentication-support.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and
> authorization. For example, sssd provides support for manage Active
> Directory nested OU by adjusting ldap_group_nesting_level = 5. Knox
> configuration is configured to interact with LDAP directly, but this has two
> short cominges. First, hgh volume traffic is likely to make too many
> queries to AD without cache. Second, complex logic of LDAP queries can not
> map correctly to UserDnTemplate without adding more ldap specific logic into
> JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to
> sssd. It is possible to implement a shiro PAM plugin to reduce the complex
> LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
