-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53722/
-----------------------------------------------------------
(Updated Nov. 17, 2016, 7:47 a.m.)
Review request for Ambari and Robert Levas.
Bugs: trunk
https://issues.apache.org/jira/browse/trunk
Repository: ambari
Description
-------
Ranger-842 has added PAM support for ranger, we need to add this part to
ambari, to do automatic setup for ranger to use PAM authentication.
Diffs (updated)
-----
ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
6462495
ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_admin_pam.j2
PRE-CREATION
ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_remote_pam.j2
PRE-CREATION
ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml
c0e537b
ambari-web/app/data/HDP2.3/site_properties.js 9ae68df
Diff: https://reviews.apache.org/r/53722/diff/
Testing
-------
In this patch, the default value for ranger-admin module is
auth sufficient pam_unix.so
auth sufficient pam_sss.so
account sufficient pam_unix.so
account sufficient pam_sss.so
1. Create a Unix User shiwang, and sync unix user to Ranger, restart
ranger-admin as root and login to ranger using shiwang, it will success.
2. Change ranger-admin pam file to
auth sufficient pam_deny.so
account sufficient pam_deny.so
and login using shiwang it will fall.
3. Change ranger-admin pam file to
auth sufficient pam_ldap.so
account sufficient pam_ldap.so
and use a ldap user that already sync in ranger(it will show user not synced
error if not synced in ranger) login will success.
4. Configure sssd with ldap and using the synced user from ldap login will
success.
Thanks,
Shi Wang
