----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53722/#review156059 -----------------------------------------------------------
ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py (line 163) <https://reviews.apache.org/r/53722/#comment226199> Use `default("/configurations/ranger-admin-site/ranger.authentication.method", "")` since it it safer. ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py (lines 164 - 165) <https://reviews.apache.org/r/53722/#comment226201> Is there a better way to _discover_ what version of PAM we are configuring. This seems a bit problematic. - Robert Levas On Nov. 15, 2016, 8:52 p.m., Shi Wang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53722/ > ----------------------------------------------------------- > > (Updated Nov. 15, 2016, 8:52 p.m.) > > > Review request for Ambari and Robert Levas. > > > Bugs: trunk > https://issues.apache.org/jira/browse/trunk > > > Repository: ambari > > > Description > ------- > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py > 4e402e5 > > ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2 > PRE-CREATION > > ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2 > PRE-CREATION > > ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml > c0e537b > ambari-web/app/data/HDP2.3/site_properties.js 9ae68df > > Diff: https://reviews.apache.org/r/53722/diff/ > > > Testing > ------- > > In this patch, the default value for ranger-admin module is > auth sufficient pam_unix.so > auth sufficient pam_sss.so > account sufficient pam_unix.so > account sufficient pam_sss.so > 1. Create a Unix User shiwang, and sync unix user to Ranger, restart > ranger-admin as root and login to ranger using shiwang, it will success. > 2. Change ranger-admin pam file to > auth sufficient pam_deny.so > account sufficient pam_deny.so > and login using shiwang it will fall. > 3. Change ranger-admin pam file to > auth sufficient pam_ldap.so > account sufficient pam_ldap.so > and use a ldap user that already sync in ranger(it will show user not synced > error if not synced in ranger) login will success. > 4. Configure sssd with ldap and using the synced user from ldap login will > success. > > > Thanks, > > Shi Wang > >
