[
https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15667921#comment-15667921
]
Shi Wang commented on AMBARI-18425:
-----------------------------------
This patch adds an authentication option "PAM" in ambari for ranger user login
since RANGER-842 supports PAM authentication. How this patch works:
1. If user select "PAM" from Ranger authentication method, during ranger
service restart, it will create two new pam file under either /etc/pam.d or
/etc/pam.conf according to the pam version on the operating system. And
ranger-admin module will be used for ranger PAM authentication, ranger-remote
module is for remote user login.
2. By default, the setting in these two PAM file is:
auth sufficient pam_unix.so
auth sufficient pam_sss.so
account sufficient pam_unix.so
account sufficient pam_sss.so
This default setting will allow user authenticate either against unix or sssd,
sssd could be configured with different backends such as ldap, AD, FreeAPI...
User could also configure the pam file as needed by directly modifying the pam
file.
3. One thing needs to be pointed out is if using pam_unix.so module,
ranger-admin must be started as root user, because it will look up password in
/etc/show file and it is only readable by root.
> Support PAM as an authentication option for Ranger in Ambari
> ------------------------------------------------------------
>
> Key: AMBARI-18425
> URL: https://issues.apache.org/jira/browse/AMBARI-18425
> Project: Ambari
> Issue Type: Task
> Components: ambari-server, ambari-web
> Affects Versions: trunk
> Reporter: Shi Wang
> Assignee: Shi Wang
> Labels: security
> Fix For: trunk
>
> Attachments:
> 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch
>
>
> Ranger-842 has added PAM support for ranger, we need to add this part to
> ambari, to do automatic setup for ranger to use PAM authentication.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
