[
https://issues.apache.org/jira/browse/KNOX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241021#comment-15241021
]
Henning Kropp edited comment on KNOX-537 at 4/14/16 11:54 AM:
--------------------------------------------------------------
We just tested this with Vas/Quest in a multi domain environment with Knox 0.6
(adjusted the patch for 0.6). Works great!
Since we have multi-domain with only a one-way trust this is almost impossible
to achieve with the current LDAP realm.
The configuration drastically is reduced to:
{code}
<param>
<name>main.pamRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
</param>
<param>
<name>main.pamRealm.service</param>
<value>system-auth</value>
</param>
{code}
One remark concerning the patch: I do like the fact that {{LdapRealm}} does
write to gateway.log the computed roles for a user. Could we add something to
{{PamRealm}} as well?
For example in {{doGetAuthorizationInfo}}:
{code}
ShiroLog.lookedUpUserRoles(roles, user.getName());
{code}
I fine if this is considered to be DEBUG only, but I would appreciate it being
part of this patch.
Thanks
was (Author: hkropp):
We just tested this with Vas/Quest in a multi domain environment with Knox 0.6
(adjusted the patch for 0.6). Works great!
Since we have multi-domain with only a one-way trust this is almost impossible
to achieve with the current LDAP realm.
The configuration drastically is reduced to:
{code}
<param>
<name>main.pamRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
</param>
<param>
<name>main.pamRealm.service</param>
<value>system-auth</value>
</param>
{code}
One remark concerning the patch: I do like the fact that {{LdapRealm}} does
wirte to gateway.log the compute roles. Could we add something to {{PamRealm}}
as well? For example in {{doGetAuthorizationInfo}}?
{code}
ShiroLog.lookedUpUserRoles(roles, user.getName());
{code}
I fine if this is considered to be DEBUG only, but I would appreciate it being
part of this patch.
Thanks
> Linux PAM Authentication Provider
> ---------------------------------
>
> Key: KNOX-537
> URL: https://issues.apache.org/jira/browse/KNOX-537
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.5.0, 0.6.0, 0.7.0
> Environment: All
> Reporter: Jeffrey E Rodriguez
> Assignee: Jeffrey E Rodriguez
> Labels: knox, pam
> Fix For: Future
>
> Attachments: 0001-knox-537-add-pam-authentication-support.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> OS level PAM security provides great interface for authentication and
> authorization. For example, sssd provides support for manage Active
> Directory nested OU by adjusting ldap_group_nesting_level = 5. Knox
> configuration is configured to interact with LDAP directly, but this has two
> short cominges. First, hgh volume traffic is likely to make too many
> queries to AD without cache. Second, complex logic of LDAP queries can not
> map correctly to UserDnTemplate without adding more ldap specific logic into
> JndiLdapRealm code and parameters.
> Knox can be improved to use PAM to out source complex OS to AD interaction to
> sssd. It is possible to implement a shiro PAM plugin to reduce the complex
> LDAP logic that is starting to accumulate in Knox.
> Looks like there is a least a start for this here.
> https://github.com/plaflamme/shiro-libpam4j
> libpam4j is available via Maven and uses an MIT license
> http://mvnrepository.com/artifact/org.jvnet.libpam4j/libpam4j/1.4
> This might be a great addition to Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
