Review Request 43584: allow to use PAM for authentication

Tue, 16 Feb 2016 13:27:18 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43584/
-----------------------------------------------------------

Review request for ranger.


Bugs: RANGER-842
    https://issues.apache.org/jira/browse/RANGER-842


Repository: ranger


Description
-------

Per jira issue RANGER-842 this patch allows to use PAM for authentication. Next 
to that is changes the standard "/etc/passwd" remote authentication to PAM. It 
continous to build on RANGER-827.

Why
/etc/passwd and /etc/group do not necessarily expose all users on Linux or any 
modern unix. Authentication and authorization are normally arranged by PAM. 
Also OS auditing is hard without using PAM.

Licenses
* the jaas implementation was a straight port from 
https://github.com/dirk-olmes/jaas-pam/ which is MIT licensed 
(https://github.com/dirk-olmes/jaas-pam/blob/master/LICENSE.txt)
* libpam4j which is used by the jaas implementation is also MIT licensed 
(https://github.com/kohsuke/libpam4j)

Implementation & usage
* Implementation was done for JAAS and Remote (C)
* For remote authentication it is now needed to have the pam headers and 
libraries installed (not available currently with rangerqa)
* For remote authentication a /etc/pamd.d/ranger-remote config file is 
required. This is hardcoded in the C file. This file needs to exist otherwise 
authentication will fail.
* For local authentication the property "ranger.pam.service" can be configured. 
It defaults to "ranger-admin" and thus refers to /etc/pam.d/ranger-admin by 
default. This file needs to exist otherwise authentication will fail
* To enable PAM authentication set ranger.authentication.method to PAM.


Diffs
-----

  NOTICE.txt 94b1118 
  pom.xml 3835fb4 
  
security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
 cfdd9bc 
  unixauthclient/pom.xml bf7508b 
  
unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamLoginModule.java
 PRE-CREATION 
  
unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/PamPrincipal.java
 PRE-CREATION 
  
unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/UsernamePasswordCallbackHandler.java
 PRE-CREATION 
  unixauthnative/pom.xml 3625b94 
  unixauthnative/src/main/c/credValidator.c d706a93 

Diff: https://reviews.apache.org/r/43584/diff/


Testing
-------

Installed on test cluster using SSSD as a nss backend. User logged in with PAM 
credentials.


Thanks,

Bolke de Bruin

Reply via email to